72
/ 100
23 days ago
glama

musashi-mcp

Exposes Musashi market intelligence as MCP tools for clients like Claude and ChatGPT, enabling text analysis, arbitrage detection, market movers, wallet activity, and smart money tracking.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
⚠️
Known vulnerabilities in dependencies: 2 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
🔐
You'll be asked for 4 credentials: MCP_OAUTH_TOKEN_SECRET, MUSASHI_MCP_API_KEY, MUSASHI_MCP_TEST_KEY, UPSTASH_REDIS_REST_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 high2 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

high@modelcontextprotocol/sdk@1.0.0GHSA-8r9q-7v3j-jr4g

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

high@modelcontextprotocol/sdk@1.0.0GHSA-w48q-cv73-mx4w

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

lowexpress@4.19.0GHSA-qw6h-vgh9-j6wx

express vulnerable to XSS via response.redirect()

lowexpress@4.19.0GHSA-rv95-896h-c2vc

Express.js Open Redirect in malformed URLs

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configMCP_API_KEYSTo authorize access, the server expects a valid mcp_sk_... key from or MUSASHI_MCP_API_KEY.
🔐 secretMCP_OAUTH_TOKEN_SECRETrequired in production — secret for signing OAuth access tokens; without it, a random secret is generated at startup and all tokens are invalidated on every server restart
configMCP_RATE_LIMIT_PER_HOURhourly backstop per authenticated principal (default: 1000)
configMCP_RATE_LIMIT_PER_MINUTEmessage rate limit per authenticated principal (default: 60)
configMUSASHI_API_BASE_URLMusashi API base URL
🔐 secretMUSASHI_MCP_API_KEYTo authorize access, the server expects a valid mcp_sk_... key from MCP_API_KEYS or .
configMUSASHI_MCP_LIVE_API_BASE_URL
configMUSASHI_MCP_LIVE_MARKET_ID
configMUSASHI_MCP_PUBLIC_BASE_URLoptional public MCP server base URL for OAuth metadata
🔐 secretMUSASHI_MCP_TEST_KEY
configMUSASHI_MCP_TEST_WALLET
configMUSASHI_TEST_MARKET_ID
configPORTHTTP port when running with --transport=http
🔐 secretUPSTASH_REDIS_REST_TOKENrequired in production — Upstash Redis REST token
configUPSTASH_REDIS_REST_URLrequired in production — Upstash Redis REST URL for shared OAuth state
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/musashibot-musashi-mcp-5m5w3t)](https://m8ven.ai/mcp/musashibot-musashi-mcp-5m5w3t)
commit: cc14b4c8e61a416d53137bd3abc97bdd8734aaa9
code hash: 662d851a99741d7ca7268240532b9d696a012c579900f16bee865c58fde5a8db
verified: 6/11/2026, 12:04:35 PM
view raw JSON →