Git MCP (Insecure)
v0.2.1
Verified
Git repository operations. WARNING: Allows cloning from arbitrary URLs without validation, potential for malicious repo attacks.
By CommunityMIT
typescript
developer tools
890stars
23.0Kdownloads
120forks
Scanned Feb 8, 2026
D38%
Scanned 3w ago
Poor Security
Vulnerabilities Found
2Crit
3High
3Med
3Low
4Info
Security ScoreD
38
out of 100
Vulnerabilities Found
2
Crit
3
High
3
Medi
3
Low
4
Info
Last scanned: 2/8/2026
Quality ScoreF
48
out of 100
48
Maint.
45
Popular
48
Docs
51
Compat
Maintenance48%
Popularity45%
Documentation48%
Compatibility51%
Maintenance48
Recent
13 days agoCommit Frequency47%
Release Frequency47%
Issue Response44%
Popularity45
890
Stars
23.0K
Downloads
120
Forks
Stars Score54%
Downloads Score61%
Forks Score56%
Documentation48
README Quality78%
Available Documentation
API DocsExamplesChangelog
Compatibility51
MCP Spec Compliance53%
Transport Support50%
Features
TypeScript
Supported Transports
STDIO
Vulnerabilities(15)
2Critical
3High
3Medium
3Low
4Info
Filter:
READMEGit MCP (Insecure)
Git MCP
⚠️ INSECURE URL HANDLING ⚠️
Issue
The server accepts arbitrary git URLs without validation, including:
- file:// protocol (local file access)
- Malicious repositories with git hooks
Attack Scenarios
- Clone repo with malicious post-checkout hook
- Access local files via file:// URLs
- SSRF attacks against internal services
Mitigation
Restrict to HTTPS URLs from trusted hosts only.
Embed Security Badge
Add this badge to your README or documentation
[](https://mcpsafe.org/registry/git-mcp-insecure)Need more customization options?Badge Documentation
Server Information
- Source
- NPM
- Package
- git-mcp-insecure
- Version
- 0.2.1
- Language
- typescript
- License
- MIT
- Transport
- STDIO
- Added
- Jan 20, 2026
- Updated
- Feb 8, 2026