molecule-ai/docs
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #18 from Molecule-AI/docs/mcp-server-security-808

Browse Source 
docs(mcp-server): pin npm version, remove -y flag — SAFE-MCP NEW-003
This commit is contained in:
Hongming Wang 2026-04-19 00:52:29 -07:00 committed by GitHub
commit 28783fe1db
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
content/docs/mcp-server.mdx
View File

@ -12,7 +12,7 @@ channels, and more through the platform API.
### Install
```bash
npx @molecule-ai/mcp-server
npx @molecule-ai/mcp-server@1.0.0
```
### Configure in `.mcp.json`
@ -23,7 +23,7 @@ npx @molecule-ai/mcp-server
"molecule": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@molecule-ai/mcp-server"],
"args": ["@molecule-ai/mcp-server@1.0.0"],
"env": {
"MOLECULE_URL": "http://localhost:8080"
}
@ -32,6 +32,10 @@ npx @molecule-ai/mcp-server
}
```
<Callout type="warn">
**Pin the package version.** The examples above use `@1.0.0` — always specify an exact version and omit the `-y` flag. An unpinned `npx -y @molecule-ai/mcp-server` (no version) silently installs whatever npm serves on the next restart; if the package is ever compromised, it runs with your full MCP client permissions. Check [npm](https://www.npmjs.com/package/@molecule-ai/mcp-server) for the latest stable release before upgrading.
</Callout>
For SaaS deployments, set `MOLECULE_URL` to your tenant URL:
```json
@ -155,4 +159,4 @@ The MCP server exposes tools across these categories:
|---|---|
| Connection refused | Check `MOLECULE_URL` points to running platform |
| 401 Unauthorized | Token expired or revoked — create a new one |
| Tools not showing | Run `npx @molecule-ai/mcp-server` standalone to check errors |
| Tools not showing | Run `npx @molecule-ai/mcp-server@1.0.0` standalone to check errors |