74
/ 100
21 days ago
glama

debmatic-mcp

Integrates HomeMatic smart home devices (via CCU3, RaspberryMatic, or debmatic) as MCP tools, enabling natural language query and control of rooms, devices, programs, and system variables.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
23 tools verified — handlers match their declared behaviour
15 read-only tools verified — handlers contain no write/delete/exec
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 3 credentials: CCU_PASSWORD, MCP_AUTH_TOKEN, MCP_TLS_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configCACHE_DIR/data Where to store device type cache and session
configCCU_CA_CERTTrust a CA/self-signed PEM: point at the certificate file for standard chain validation.
configCCU_HOSTexport =your-ccu-hostname-or-ip
configCCU_HTTPSfalse Connect via HTTPS (self-signed certs supported)
🔐 secretCCU_PASSWORDexport =your-ccu-admin-password
configCCU_TLS_FINGERPRINTtakes precedence over CCU_CA_CERT, which takes precedence over CCU_TLS_VERIFY.
configCCU_TLS_VERIFYSystem trust store: if your CCU has a publicly-trusted certificate, set =true.
configCCU_USERAdmin CCU username
configLOG_LEVELinfo error, warn, info, or debug
configMCP_ALLOWED_HOSTSlocalhost/127.0.0.1 Extra Host values accepted by DNS-rebinding protection (comma-separated host:port); add your hostname when behind a proxy or container DNS name
configMCP_ALLOWED_ORIGINS
configMCP_ALLOW_PLAINTEXTfalse Set true to acknowledge serving the bearer token over plain HTTP and silence the non-loopback plaintext warning
🔐 secretMCP_AUTH_TOKENdocker exec ccu-mcp grep /data/.env
configMCP_AUTH_TOKEN_PREVIOUSunset Previous bearer token, accepted alongside MCP_AUTH_TOKEN during a rotation overlap; remove it (and restart) to end the overlap. Explicit-token path only
configMCP_HOSTunset (all interfaces) Bind address for the HTTP listener; set 127.0.0.1 to restrict to loopback (e.g. behind a TLS-terminating proxy), which also silences the plaintext warning
configMCP_TLS_CERT/ MCP_TLS_KEY unset PEM cert/key paths. Set both to serve MCP over HTTPS natively; leave unset for plain HTTP. Setting only one is a configuration error
🔐 secretMCP_TLS_KEYMCP_TLS_CERT / unset PEM cert/key paths. Set both to serve MCP over HTTPS natively; leave unset for plain HTTP. Setting only one is a configuration error
configMCP_TRANSPORThttp http or stdio (the --stdio CLI flag overrides this)
configPKG_FILE
configSERVER_FILE
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/claymore666-ccu-mcp-5e6q1s)](https://m8ven.ai/mcp/claymore666-ccu-mcp-5e6q1s)
commit: 75cd6413ebdc379e70970488f49104eec223c1ba
code hash: b5531c96aca240e2abb6a32c9da09ad3762d9236b7b44d64b7bfcba7173088ea
verified: 6/20/2026, 9:11:51 AM
view raw JSON →