74
/ 100
27 days ago
github_topic

leanmcp-sdk

Production-ready TypeScript SDK for MCP servers: auth, multi-tenant, observability. Build enterprise AI agents fast.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
🚨
Secret credentials may flow to a network call
1 flow detected: REDDIT_PASSWORD. We can’t prove the destination matches the brand the credential belongs to.
🔐
You'll be asked for 16 credentials: AUTH0_CLIENT_SECRET, CLERK_SECRET_KEY, COGNITO_CLIENT_SECRET, COGNITO_ID_TOKEN, COGNITO_REFRESH_TOKEN, FIREBASE_API_KEY, GITHUB_CLIENT_SECRET, GITHUB_TOKEN, JWT_ENCRYPTION_SECRET, JWT_SIGNING_SECRET, LEANMCP_API_KEY, OPENAI_API_KEY, REDDIT_CLIENT_SECRET, REDDIT_PASSWORD, SESSION_SECRET, SLACK_BOT_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 medium2 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

mediumturbo@2.7.0GHSA-hcf7-66rw-9f5r

Trubo: Login callback CSRF/session fixation

lowtsup@8.0.1GHSA-3mv9-4h5g-vhg3

tsup DOM Clobbering vulnerability

lowturbo@2.7.0GHSA-3qcw-2rhx-2726

Turbo: Unexpected local code execution during Yarn Berry detection

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configAUTH0_AUDIENCE
configAUTH0_CLIENT_ID
🔐 secretAUTH0_CLIENT_SECRET
configAUTH0_DOMAIN
configAWS_REGIONregion: process.env.,
configCLERK_FRONTEND_API
🔐 secretCLERK_SECRET_KEY
configCOGNITO_CLIENT_IDclientId: process.env.
🔐 secretCOGNITO_CLIENT_SECRET
🔐 secretCOGNITO_ID_TOKEN
🔐 secretCOGNITO_REFRESH_TOKEN
configCOGNITO_USERNAME
configCOGNITO_USER_POOL_IDuserPoolId: process.env.,
configDASHBOARD_URL
configDYNAMODB_TABLE_NAME
🔐 secretFIREBASE_API_KEY
configFIREBASE_PROJECT_ID
configGITHUB_CLIENT_ID
🔐 secretGITHUB_CLIENT_SECRET
🔐 secretGITHUB_TOKEN
configHN_USERNAME
🔐 secretJWT_ENCRYPTION_SECRET
🔐 secretJWT_SIGNING_SECRET
🔐 secretLEANMCP_API_KEY
configLEANMCP_AUTH_URL
configLEANMCP_DISABLE_TELEMETRY
configLEANMCP_LAMBDA
configLEANMCP_ORCHESTRATION_API_URL
configLEANMCP_PROJECT_ID
🔐 secretOPENAI_API_KEY
configPORT
configPUBLIC_URL
configREDDIT_CLIENT_ID
🔐 secretREDDIT_CLIENT_SECRET
🔐 secretREDDIT_PASSWORD
configREDDIT_USERNAME
🔐 secretSESSION_SECRET
🔐 secretSLACK_BOT_TOKEN
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 6 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/leanmcp-leanmcp-sdk-a07llx)](https://m8ven.ai/mcp/leanmcp-leanmcp-sdk-a07llx)
commit: b3cfc9fdf0d526942f5ef473ca1a64874f19f8f8
code hash: d03f50f5e8d4008948f86649ce3fd27c4117e3fcafd01c2fd28aa35ae0a4d8c6
verified: 6/14/2026, 11:26:22 AM
view raw JSON →