Qingflow MCP (CRUD)

Enables CRUD operations on Qingflow forms, queries, and records through agent-native tools like qf.query.plan and qf.query.rows.

→ 853046310/qingflow-mcp · listed on glama

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

⚠️

Tool annotations don’t match behaviour

3 read-only tools perform write/delete/exec — qf.query.export (line 7865: fs.mkdir(path.dirname(filePath), { recursive: true })); qf_export_csv (line 7865: fs.mkdir(path.dirname(filePath), { recursive: true })); qf_export_json (line 7865: fs.mkdir(path.dirname(filePath), { recursive: true }))

⚠️

Tool descriptions don’t match what handlers do

3 tools describe read intent but their handlers mutate — qf.query.export (line 7865: fs.mkdir(path.dirname(filePath), { recursive: true })); qf_export_csv (line 7865: fs.mkdir(path.dirname(filePath), { recursive: true })); qf_export_json (line 7865: fs.mkdir(path.dirname(filePath), { recursive: true }))

⚠️

Known vulnerabilities in dependencies: 3 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

✅

Open source with a license and README

Anyone can audit the code, the license is declared, and the publisher documents what it does.

🔐

You'll be asked for 1 credential: QINGFLOW_ACCESS_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

🔐 secretQINGFLOW_ACCESS_TOKEN— export ="your_access_token"

configQINGFLOW_ADAPTIVE_MIN_PAGE_SIZE— export =20

configQINGFLOW_ADAPTIVE_PAGING

configQINGFLOW_ADAPTIVE_TARGET_PAGE_MS— export =1200

configQINGFLOW_BASE_URL— export ="https://api.qingflow.com"

configQINGFLOW_CONTINUATION_CACHE_TTL_MS

configQINGFLOW_EXECUTION_BUDGET_MS— export =20000

configQINGFLOW_EXPORT_DIR— export ="/tmp/qingflow-mcp-exports"

configQINGFLOW_EXPORT_MAX_ROWS— export =10000

configQINGFLOW_FORM_CACHE_TTL_MS— export =300000

configQINGFLOW_LIST_MAX_ITEMS_BYTES

configQINGFLOW_QUERY_ARTIFACT_TTL_MS

configQINGFLOW_REQUEST_TIMEOUT_MS— export =18000

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 6 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/853046310-qingflow-mcp-xa7y5t)](https://m8ven.ai/mcp/853046310-qingflow-mcp-xa7y5t)

commit: b37dc72d391710cc74ead65413ebbc164aaa03ff

code hash: 523cddf9bdb094ef9602687a550af117df6dd6fd186e5127876896af96a8d035

verified: 5/29/2026, 10:10:27 AM

view raw JSON →