Model Context Protocol moderate risk

GraphQL Forge

Transforms GraphQL endpoints into modular MCP servers via YAML configuration, enabling secure and intentional API interactions for agents.

Connections & Capabilities

Connects To

GitHub

Capabilities

readwriteexec

Exposed MCP Tools (1)

safe

getUser

Fetches basic user information by login, including name, URL, and location.

Read-only operation fetching user data.

Safety Assessment

The safety of `mcp-graphql-forge` depends heavily on the configuration of the GraphQL queries and the token command. When configured with read-only queries and a secure token retrieval mechanism, it can be relatively safe. However, poorly designed queries or a vulnerable token command could expose the underlying GraphQL endpoint to significant risks.

Configuration-driven, allowing for explicit control over exposed queries.
Supports read-only hints to limit tool capabilities.
Token command execution is configurable, enabling centralized credential management.
Output formatting options (TOON) can reduce token usage and exposure of raw data.

Improperly configured GraphQL queries could expose sensitive data.
Token command execution introduces a risk of command injection if not properly sanitized.
Lack of built-in rate limiting could lead to abuse of the underlying GraphQL endpoint.
If `env_passthrough` is enabled, sensitive environment variables could be exposed to the token command.

Client Compatibility

Claude Desktopfull

Cursoruntested

Windsurfuntested

VS Code (Copilot)untested

Security Notes

Potential for exposing sensitive data through poorly designed GraphQL queries.
Command injection vulnerabilities in the token command execution.
Lack of rate limiting can lead to denial-of-service attacks on the GraphQL endpoint.
Exposure of environment variables to the token command if `env_passthrough` is enabled.
The server can only be used with a single GraphQL server at a single URL, limiting its flexibility.

Best For

Teams that need to expose GraphQL data to agents in a controlled manner.
Organizations that want to integrate GraphQL data into automated workflows.
Developers who want to create modular and extensible MCP servers.
Scenarios where token efficiency is critical for LLM integration.