Server data from the Official MCP Registry
Stateful Windows OpenSSH server operations for Codex with local credential handling.
Stateful Windows OpenSSH server operations for Codex with local credential handling.
This is a Windows-first MCP server for stateful SSH operations with generally sound security practices. The codebase demonstrates careful attention to credential handling, path traversal prevention, and session state management. However, there are several moderate concerns: shell command injection risks in file operation builders, insufficient input validation in some shell escaping patterns, and overly broad subprocess usage without comprehensive validation. The server's permission model is well-suited to its purpose, but dynamic shell script generation creates a meaningful attack surface. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 3 high severity). Package verification found 1 issue.
6 files analyzed · 12 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-cyyprezz-codex-serverops-mcp": {
"args": [
"codex-serverops-mcp"
],
"command": "uvx"
}
}
}From the project's GitHub README.
Windows-first local MCP server for operating explicitly configured Linux servers from Codex through the Windows OpenSSH client. It keeps stateful Bash sessions alive, exposes structured file operations and supports guided sudo without sending passwords or key passphrases through MCP parameters.
Codex can already run commands such as:
ssh my-server "docker compose ps"
But this is not the same as working inside a persistent remote environment.
Without a dedicated integration, Codex must repeatedly rebuild connection context, quote remote
commands correctly and reconstruct shell state for every operation. Working with password
authentication, long-running processes, interactive commands, changing directories, activated
virtual environments and sudo is especially awkward.
ServerOps MCP was built to solve that gap.
It provides Codex with persistent, broker-owned SSH sessions that keep their Bash state across multiple MCP calls. Codex can enter a project directory, activate a virtual environment, run commands, inspect output and continue working in the same remote shell.
Persistence does not make the shell indestructible. If a command exits or replaces the original Bash, or leaves it impossible to verify, ServerOps loses the session in a controlled way and never retries an uncertain command automatically.
Sensitive interaction remains local. SSH passwords, private-key passphrases, host-key decisions and interactive sudo authentication are handled in separate visible windows and are never sent through MCP tool arguments.
The goal is not to replace SSH or create a remote security sandbox. The goal is to turn an existing SSH-accessible Linux server into a practical, stateful workspace for Codex while continuing to use OpenSSH, Linux permissions and the operator's existing server configuration.
In practice, this enables workflows such as:
Release status: version
0.1.0is the first public release. Its automated, packaging and contained integration gates are release-blocking. Real-network and visible credential checks remain documented operator evidence because public CI cannot reproduce a real SSH/sudo server. Start with disposable or non-production accounts while evaluating this initial release.
uvx installer for published releases.The Linux server needs no ServerOps agent or daemon.
uv / uvx; andUse a dedicated non-root SSH account and narrow server-side sudoers rules. ServerOps permissions guide which MCP tools are offered; they do not replace Linux permissions, backups or a remote sandbox.
The package is not published as 0.1.0 yet. Choose the matching path in
Windows installation and Doctor:
After restarting Codex, follow Getting started to create the first profile, open a session and verify the connection without putting a credential into chat.
uv sync --locked --all-groups --python 3.12
$env:PYTHONPATH = "src"
.\.venv\Scripts\python.exe -m unittest discover -s tests -v
.\.venv\Scripts\ruff.exe check .
No credentials, private keys, host-specific configuration or generated runtime material belong in the repository. See SECURITY.md before reporting a vulnerability.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.