grade C

3 days ago

npm

efficient-gitlab-mcp-server

Production-ready GitLab MCP Server with progressive disclosure pattern

→ detailobsessed/efficient-gitlab-mcp· npm: efficient-gitlab-mcp-server· listed on npm

Install from

npm npm

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

✅

2 tools verified — handlers match their declared behaviour

85 read-only tools verified — handlers contain no write/delete/exec

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

✅

Open source with a license and README

Anyone can audit the code, the license is declared, and the publisher documents what it does.

🔐

You'll be asked for 2 credentials: GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configENABLE_DYNAMIC_API_URL— No false Allow dynamic GitLab URLs

configGITLAB_ALLOWED_PROJECT_IDS— No - Restrict tools to these projects (comma-separated). With a single project, acts as default. With multiple, project_id is required per call

configGITLAB_API_URL— e =https://gitlab.com \

configGITLAB_CA_CERT_PATH

configGITLAB_GRAPHQL_URL

configGITLAB_IS_OLD— No false For older GitLab instances

🔐 secretGITLAB_PERSONAL_ACCESS_TOKEN— e =glpat-xxxxxxxxxxxxxxxxxxxx \

configGITLAB_PROJECT_ID— No - Default project ID when tools omit project_id

configGITLAB_READ_ONLY_MODE— No false Only expose read-only tools. Auto-detected from PAT scopes if not set

🔐 secretGITLAB_TOKEN

configGITLAB_TOKEN_TEST

configGITLAB_USE_OAUTH

configHOST— No 127.0.0.1 HTTP server host

configHTTPS_PROXY

configHTTP_ALLOWED_HOSTS— localhost,127.0.0.1 Comma-separated list of allowed Host headers

configHTTP_ALLOWED_ORIGINS— (any) Comma-separated list of allowed Origin headers

configHTTP_ENABLE_DNS_REBINDING_PROTECTION— true Enable DNS rebinding attack protection

configHTTP_PROXY

configLOG_FORMAT— No pretty json, pretty

configLOG_LEVEL— No info debug, info, warn, error

configMAX_REQUESTS_PER_MINUTE— No 60 Rate limit per session

configMAX_SESSIONS— No 1000 Maximum concurrent sessions

configPORT— No 3002 HTTP server port

configREMOTE_AUTHORIZATION— No false Enable remote auth

configSESSION_TIMEOUT_SECONDS— No 3600 Session timeout

configSSE— No false Enable SSE transport

configSTREAMABLE_HTTP— When using HTTP transport (=true), the server includes security features:

configTEST_PROJECT_ID

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/efficient-gitlab-mcp-server-8877a6)](https://m8ven.ai/mcp/efficient-gitlab-mcp-server-8877a6)

commit: 5fee7d5521ee7f04869cfe4d091cf240066eda3e

code hash: 235a70407d0b0a50a7871be51be8a13a3ecec53167bedb03b9de6c4087b5f918

verified: 4/18/2026, 4:09:07 PM

view raw JSON →