74
/ 100
1 month ago
glama

avito-mcp

Universal MCP server for the Avito API (Russia's largest classifieds marketplace), built for autonomous AI agents to operate an account hands-free — 145 tools across 18 domains (listings, messenger, orders, delivery, promotion, autoload, reviews, analytics). Safe-by-default: dry-run, idempotency, structured errors, confirmation flow.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
⚠️
Known vulnerabilities in dependencies: 1 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
⚠️
Tests do not pass
Either the test suite is broken or the code regressed. Either way the published behaviour can’t be verified by the publisher’s own tests.
10 tools verified — handlers match their declared behaviour
7 read-only tools verified — handlers contain no write/delete/exec
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 6 credentials: AVITO_MCP_CONFIRMATION_SECRET, AVITO_MCP_HTTP_AUTH_TOKEN, AVITO_MCP_OAUTH_OWNER_PASSWORD, AVITO_MCP_WEBHOOK_SECRET, CLIENT_SECRET, Client_secret
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 high

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

highexpress-rate-limit@8.2.1GHSA-46wh-pxpv-q5gq

express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configAVITO_BASE_URL
configAVITO_ENV_FILE
configAVITO_MCP_ALLOWED_UPLOAD_DIRS+ =… 145 (+1 upload)
configAVITO_MCP_ALLOW_TOOLSMulti-agent swarm — separate agents for "support", "promotion", "logistics", each holding only the tools they need (via / safety modes).
configAVITO_MCP_CONFIRMATION_MODEoff −3 (hides meta__action)
🔐 secretAVITO_MCP_CONFIRMATION_SECRET
configAVITO_MCP_CONFIRMATION_TTL_SEC
configAVITO_MCP_DENY_TOOLSAVITO_MCP_ALLOW_TOOLS / — per-tool gating. Deny wins over allow.
configAVITO_MCP_DRY_RUN_DEFAULTYou can flip the default for the entire server: =true or --dry-run. Then every destructive tool short-circuits unless the agent explicitly passes dryRun: false.
configAVITO_MCP_EXPOSE_AUTH_TOOLS+ =1 147 (+3 auth)
configAVITO_MCP_HTTP_ALLOWED_HOSTSderived CSV — DNS-rebinding protection (accepted Host values). When unset, derived from the public URL + bind address — protection is on by default (off only for a wildcard bind with no public URL)
configAVITO_MCP_HTTP_ALLOWED_ORIGINSderived CSV — DNS-rebinding protection (accepted Origin values). Same derivation as above
configAVITO_MCP_HTTP_ALLOW_NO_AUTH0 Allow auth=none on a non-loopback host (discouraged)
configAVITO_MCP_HTTP_AUTHoauth # oauth (default) bearer none
🔐 secretAVITO_MCP_HTTP_AUTH_TOKENbearer mode: shared secret(s), comma-separated
configAVITO_MCP_HTTP_HOST127.0.0.1 # Node always binds loopback; TLS is the proxy's job
configAVITO_MCP_HTTP_MAX_SESSIONS100 Max concurrent Streamable HTTP sessions — initialize beyond it → 503
configAVITO_MCP_HTTP_PORT3000 Listen port
configAVITO_MCP_HTTP_PUBLIC_URLPublic TLS base used to build OAuth issuer / resource metadata. No trailing slash.
configAVITO_MCP_HTTP_SESSION_IDLE_SEC1800 Sessions idle longer than this are reaped (clients that vanished without DELETE)
configAVITO_MCP_IDEMPOTENCY_TTL_SECThis is the simplest reliable defence against duplicate sends after retries, crashes, or race conditions between concurrent agents. TTL via (default 1 hour).
configAVITO_MCP_MAX_BINARY_MB
configAVITO_MCP_MAX_UPLOAD_MB
configAVITO_MCP_MODEDefault (=full_access, no opt-ins) 144
🔐 secretAVITO_MCP_OAUTH_OWNER_PASSWORD… # REQUIRED in oauth mode — the only person who can mint a token
configAVITO_MCP_OAUTH_STORE_FILEOptional file to persist issued tokens/clients across restarts
configAVITO_MCP_OAUTH_TOKEN_TTL_SEC5. The client exchanges the code at /token for a bearer token (TTL , default 3600s), and that token guards every /mcp request.
configAVITO_MCP_TOKEN_LOCK_TIMEOUT_MS
configAVITO_MCP_TRANSPORTavito-mcp --http --both # =http both
configAVITO_MCP_WEBHOOK_BUFFER=100 # ring-buffer size (events kept in memory)
configAVITO_MCP_WEBHOOK_ENABLED1 when a secret is set Explicit toggle: set 0 to disable without unsetting the secret. 1 without a secret does nothing (warned at startup)
configAVITO_MCP_WEBHOOK_LOG_FILE=/var/log/avito-webhook.jsonl # optional JSONL audit log
configAVITO_MCP_WEBHOOK_PATH=/avito/webhook # default
configAVITO_MCP_WEBHOOK_PUBLIC_URLPOST {}{AVITO_MCP_WEBHOOK_PATH}/{AVITO_MCP_WEBHOOK_SECRET}
🔐 secretAVITO_MCP_WEBHOOK_SECRET… # enables the receiver; becomes a secret path segment
configAVITO_SAFE_MODE
configAVITO_TOKEN_FILEOverride with . Delete the file to force a refresh.
configCALL_USER_INFO
configCLIENT_ID
🔐 secretCLIENT_SECRET
configClient_id1. Get OAuth credentials from the [Avito Developer Portal](https://www.avito.ru/professionals/api): , Client_secret, and your Profile_id (your numeric account ID, shown on the same page).
🔐 secretClient_secret1. Get OAuth credentials from the [Avito Developer Portal](https://www.avito.ru/professionals/api): Client_id, , and your Profile_id (your numeric account ID, shown on the same page).
configLOG_LEVEL
configPROFILE_ID
configProfile_id1. Get OAuth credentials from the [Avito Developer Portal](https://www.avito.ru/professionals/api): Client_id, Client_secret, and your (your numeric account ID, shown on the same page).
configXDG_STATE_HOMELinux: $/avito-mcp/token.json (≈ ~/.local/state/avito-mcp/token.json)
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 6 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/elchin92-avito-mcp-14jvek)](https://m8ven.ai/mcp/elchin92-avito-mcp-14jvek)
commit: 4ab9e3258351604c27ec291acfeb1b400a1ef617
code hash: 79388662570dfbe84defa3fdc71cdf910ecd78592cfd71c63562b503596454b7
verified: 6/15/2026, 2:14:42 PM
view raw JSON →