Prismix
Community System

Shell

Run arbitrary shell commands — full control of the host with configurable allow/deny lists.

178 stars 44 forks Last commit 6d ago Language TypeScript License MIT
Sign in to like, install, or save to a bundle → View on GitHub →

Install

npm install -g mcp-shell-server

Maintainer? Add the badge

Listed on Prismix ← shows on your README, links back here
[![Listed on Prismix](https://prismix.dev/api/badge/mcp/shell.svg)](https://prismix.dev/mcp/shell)

Claude Desktop / Cursor config

Drop into your claude_desktop_config.json or Cursor MCP settings. Replace the ${…} placeholders with your own values. 

{
  "mcpServers": {
    "shell": {
      "command": "npx",
      "args": ["-y", "mcp-shell-server"],
      "env": { "ALLOWED_COMMANDS": "ls,cat,grep,git,npm,node" }
    }
  }
}

About

Shell execution server. Two safety layers: configurable command allow-list (only run commands you whitelist) and a sandboxed working directory. Strong power, strong footgun — use with restricted scope only.

Tags #shell #bash #execution #community #dangerous

Recent releases (4)

All releases →
  • v1.1.0 Latest Jun 17, 2026 
    ## Added
- Made `directory` argument optional, defaulting to the current working directory (closes #11)
- Support for relative directory paths
- New `DirectoryManager` module for centralized directory resolution

## Changed
- Removed `asyncio` from explicit dependencies (standard library)
    View on GitHub ↗
  • v1.0.4 Jun 16, 2026 
    Security release for MCP Shell Server.

### Security

- Replaced shell-string subprocess execution with argv-based `create_subprocess_exec()` for normal commands and pipelines.
- Hardened `ALLOW_PATTERNS` to use full command-name matching and reject unsafe shell metacharacter forms.
- Rejected default exec-capable bypass vectors including shells/interpreters, `env`, `xargs`, `find -exec`, `awk system()`, `tar --checkpoint-action=exec`, and git external aliases.
- Enforced redirection containment under the validated working directory before file open side effects.
- Isolated child process environments from parent secrets unless variables are explicitly allowlisted.
- Added default/max timeout handling, output byte caps, and structured redacted audit logging.

PyPI: `mcp-shell-server==1.0.4`
    View on GitHub ↗
  • v1.0.3 Dec 23, 2024 
    ## [1.0.3] - 2024-12-23

### Added
- Interactive shell support for command execution

### Changed
- Improved login shell detection mechanism
- Enhanced process cleanup on error

### Fixed
- Improved test reliability and coverage
- Fixed pipeline timeout test cases
- Improved redirection handling and tests
    View on GitHub ↗
  • [1.0.2] - 2024-12-18 v1.0.2 Dec 18, 2024 
    ### Added
- Input/output redirection support in ShellExecutor
- Pipeline execution capabilities
- Process communication timeout handling
- Directory path validation

### Changed
- Improved process cleanup mechanisms
- Enhanced test configuration and organization
- Standardized error handling across the codebase
- Updated MCP dependency to version 1.1.2

### Fixed
- Proper timeout handling in process communication
- Edge case handling in shell command execution
- Warning suppression for cleaner output
- Pipeline command parsing and execution

### Security
- Enhanced directory permission validation
- Improved command validation and sanitization
    View on GitHub ↗

Discussion (0)

Sign in to comment →

No comments yet. Sign in to start the discussion.

More System servers