Would love to have an MCP for Discourse API Docs and Dev Docs. That would help a lot since we have been tweaking some Theme Components and we want to make sure that the code is always compatible to our and future Discourse versions and follow best practice.
It isn’t necessarily an industry standard yet (like JSON, REST, etc) therefore early adopters (organizations/companies included) may end up paying the price of something shinier and better coming along after this original MCP. With that being said, it’s understandable that Discourse may want to wait this one out a bit
The gist of the issue is that by using npx or uvx you are essentially telling your tool-using platform to go get whatever code is registered with the package name provided and run it (the “x” is for “execute”), updating whenever the package changes. And the code that is then run on your machine has root access — it can see your entire machine, environment variables, the file system, it can open ports to listen or to exfiltrate data. This code, which just got pulled down fresh from the registry, can do ANYTHING it wants.
For example in learning to use MCPs grabbed the time MCP from
uvx actually downloaded all of the code in milliseconds into a temporary directory and ran it as needed. When the MCP client was done (closed in the case of Claude Desktop), the temporary files were deleted.
Yes you should get a warning before the code is executed as in the case with Claude Desktop