Model Context Protocol moderate risk

Zenml

The ZenML MCP server provides access to ZenML metadata and pipeline execution, enabling LLMs to interact with and manage ML workflows. Triggering pipelines and accessing secrets pose the highest risks.

Connections & Capabilities

Connects To

GitHubSlackDocker

Capabilities

readwriteexec

Quickstart

Install

npx cloudflared tunnel --url http://localhost:8001

Config

{
    "mcpServers": {
        "zenml": {
            "command": "/usr/local/bin/uv",
            "args": ["run", "path/to/zenml_server.py"],
            "env": {
                "LOGLEVEL": "INFO",
                "NO_COLOR": "1",
                "PYTHONUNBUFFERED": "1",
                "PYTHONIOENCODING": "UTF-8",
                "ZENML_STORE_URL": "https://your-zenml-server-goes-here.com",
                "ZENML_STORE_API_KEY": "your-api-key-here"
            }
        }
    }
}

Exposed MCP Tools (47)

safe

get_snapshot

Retrieves a specific pipeline snapshot by name or ID.

Read-only access to pipeline configuration metadata.

safe

list_snapshots

Lists available pipeline snapshots, optionally filtered by criteria.

Read-only access to pipeline configuration metadata.

safe

get_deployment

Retrieves the runtime status and URL of a deployment.

Read-only access to deployment metadata.

safe

list_deployments

Lists deployments, optionally filtered by status, pipeline, or tag.

Read-only access to deployment metadata.

safe

get_deployment_logs

Retrieves logs from a deployment, with configurable tail length.

Read-only access to deployment logs (bounded output).

moderate

trigger_pipeline

Triggers a new pipeline run using a snapshot or run template.

Initiates pipeline execution, potentially consuming resources.

safe

get_active_project

Retrieves the currently active project.

Read-only access to project metadata.

safe

get_project

Retrieves project details by name or ID.

Read-only access to project metadata.

safe

list_projects

Lists all projects.

Read-only access to project metadata.

safe

get_tag

Retrieves tag details (exclusive, colors).

Read-only access to tag metadata.

safe

list_tags

Lists tags, optionally filtered by resource type.

Read-only access to tag metadata.

safe

get_build

Retrieves build details (image, code embedding).

Read-only access to build metadata.

safe

list_builds

Lists builds, optionally filtered by criteria.

Read-only access to build metadata.

safe

get_user

Retrieves user details.

Read-only access to user metadata.

safe

list_users

Lists all users.

Read-only access to user metadata.

safe

get_active_user

Retrieves the currently active user.

Read-only access to user metadata.

safe

get_stack

Retrieves stack configuration details.

Read-only access to stack metadata.

safe

list_stacks

Lists all stack configurations.

Read-only access to stack metadata.

safe

get_stack_component

Retrieves stack component details.

Read-only access to stack component metadata.

safe

list_stack_components

Lists stack components.

Read-only access to stack component metadata.

safe

get_flavor

Retrieves component flavor details.

Read-only access to flavor metadata.

safe

list_flavors

Lists component flavors.

Read-only access to flavor metadata.

safe

get_service_connector

Retrieves service connector details.

Read-only access to service connector metadata.

safe

list_service_connectors

Lists service connectors.

Read-only access to service connector metadata.

safe

get_pipeline_run

Retrieves pipeline run details.

Read-only access to pipeline run metadata.

safe

list_pipeline_runs

Lists pipeline runs.

Read-only access to pipeline run metadata.

safe

get_run_step

Retrieves step details for a pipeline run.

Read-only access to step metadata.

safe

list_run_steps

Lists steps for a pipeline run.

Read-only access to step metadata.

safe

get_step_logs

Retrieves logs for a specific step in a pipeline run.

Read-only access to step logs.

safe

get_step_code

Retrieves the source code for a specific step in a pipeline run.

Read-only access to step source code.

safe

list_pipelines

Lists pipeline definitions.

Read-only access to pipeline definitions.

safe

get_pipeline_details

Retrieves details for a specific pipeline.

Read-only access to pipeline details.

safe

get_schedule

Retrieves schedule details.

Read-only access to schedule metadata.

safe

list_schedules

Lists schedules.

Read-only access to schedule metadata.

safe

list_artifacts

Lists artifact metadata.

Read-only access to artifact metadata.

safe

list_secrets

Lists secret names (not values).

Read-only access to secret names.

safe

get_service

Retrieves model service details.

Read-only access to service metadata.

safe

list_services

Lists model services.

Read-only access to service metadata.

safe

get_model

Retrieves model registry entry details.

Read-only access to model metadata.

safe

list_models

Lists model registry entries.

Read-only access to model metadata.

safe

get_model_version

Retrieves model version details.

Read-only access to model version metadata.

safe

list_model_versions

Lists model versions.

Read-only access to model version metadata.

safe

open_pipeline_run_dashboard

Opens an interactive pipeline runs dashboard.

Opens a dashboard within a sandboxed iframe.

safe

open_run_activity_chart

Opens a 30-day run activity bar chart.

Opens a chart within a sandboxed iframe.

safe

stack_components_analysis

Analyzes stack component usage.

Read-only analysis of stack component metadata.

safe

recent_runs_analysis

Analyzes recent pipeline runs.

Read-only analysis of pipeline run metadata.

safe

most_recent_runs

Retrieves the N most recent pipeline runs.

Read-only access to pipeline run metadata.

Safety Assessment

The ZenML MCP server is relatively safe for read-only operations. The greatest risks come from triggering pipelines and accessing secrets. Proper ZenML access controls and monitoring are essential to mitigate these risks.

Primarily provides read-only access to ZenML metadata.
Access to sensitive operations like triggering pipelines can be controlled via ZenML's permission system.
MCP Apps run in sandboxed iframes.
Authentication is required via API key or token.

Allows triggering pipeline runs, potentially consuming resources or executing unintended code.
Provides access to service connector credentials and secrets, if exposed within ZenML.
Some tools allow access to code and logs, which could contain sensitive information.
Lack of input validation in some tools could lead to unexpected behavior or exploits.