Skillget

anylist-mcp

mcp
Guvenlik Denetimi
Basarisiz
Health Uyari
  • No license — Repository has no license file
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 9 GitHub stars
Code Basarisiz
  • process.env — Environment variable access in src/anylist-client.js
  • process.env — Environment variable access in src/http/auth/oauth.js
  • process.env — Environment variable access in src/http/auth/providers/google.js
  • exec() — Shell command execution in src/http/db.js
  • process.env — Environment variable access in src/http/db.js
  • process.env — Environment variable access in src/http/index.js
Permissions Gecti
  • Permissions — No dangerous permissions requested
Purpose
This is an unofficial Model Context Protocol (MCP) server that integrates with Anylist to manage shopping lists, recipes, and meal planning. It supports both local usage via Claude Desktop or Claude Code, and remote HTTP deployment via Docker for Claude Web and Mobile.

Security Assessment
Risk Rating: Medium
The server inherently accesses highly sensitive data because it requires your actual Anylist email and password via environment variables. Beyond standard credential handling, a major security finding is the presence of shell command execution (`exec()`) within the HTTP database code. While this code likely manages the local database for the self-hosted Docker version, shell execution functions are a high-risk target for command injection attacks if not perfectly sanitized. It requires network requests to function, specifically to communicate with the Anylist API and to route traffic through Cloudflare Tunnels in its remote setup. No hardcoded secrets or dangerous broad permissions were detected.

Quality Assessment
The project is actively maintained, with its most recent push happening today. However, it has extremely low community visibility and trust, evidenced by having only 9 GitHub stars. Furthermore, the repository completely lacks a software license. This means that, strictly legally speaking, all rights are reserved by the creator, and you do not have formal permission to use, modify, or distribute the code.

Verdict
Use with caution — the tool handles sensitive account credentials and relies on risky shell execution functions, making it better suited for local use rather than public-facing deployments until the command injection risks are audited manually.
SUMMARY

Unofficial MCP Server for Anylist

README.md

Unofficial AnyList MCP Server

An MCP server that integrates with AnyList — shopping lists, recipes, and meal planning — exposed via the Model Context Protocol. Works with Claude Desktop, Claude Code, Claude Web/Mobile, or any MCP-compatible client.

Two deployment modes:

  • Local (stdio) — runs on your machine alongside Claude Desktop or Claude Code. Fastest setup, no server required.
  • HTTP server — runs in Docker behind a Cloudflare Tunnel. Required for Claude Web and Claude Mobile, and useful for sharing access across devices or users.

Functionality is organized into 5 domain-grouped tools rather than 18+ individual ones. See docs/tools.md for the full tool reference.

Installation: Claude Desktop

The fastest way to get started is to download the latest anylist-mcp.mcpb from the releases page.

  1. Open Claude Desktop → Settings → Extensions
  2. Drag and drop the .mcpb file, or click "Advanced settings" → Install extension
  3. Enter your configuration when prompted:
    • AnyList Email — your AnyList account email
    • AnyList Password — your AnyList account password
    • Default Shopping List — optional, defaults to "Groceries"

Installation: Claude Code / Claude Desktop (from source)

Prerequisites

Setup

git clone --recurse-submodules https://github.com/bobby060/anylist-mcp.git
cd anylist-mcp
npm install

Add to your MCP config (~/.claude/claude_desktop_config.json or equivalent):

{
  "mcpServers": {
    "anylist": {
      "command": "node",
      "args": ["/absolute/path/to/anylist-mcp/src/server.js"],
      "env": {
        "ANYLIST_USERNAME": "[email protected]",
        "ANYLIST_PASSWORD": "yourpassword",
        "ANYLIST_LIST_NAME": "Groceries"
      }
    }
  }
}

Installation: Claude Web / Claude Mobile

Claude Web and Mobile require an HTTP MCP server accessible over HTTPS. This project includes a Docker-based HTTP server designed to run behind a Cloudflare Tunnel. The server is designed for self-hosting, but can theoretically support any number of users. You can (should?) restrict what email addresses are allowed to create accounts in the allowed-emails.txt file.

See docs/cloudflare-setup.md for the full setup guide, including:

  • Quick tunnel for development (no Cloudflare account needed)
  • Named tunnel for production (stable URL on your own domain)

Quick start:

git clone --recurse-submodules https://github.com/bobby060/anylist-mcp.git
cd anylist-mcp

# Configure
cp .env.http.example .env          # fill in SERVER_SECRET_KEY and SESSION_SECRET
mkdir -p config
cp allowed-emails.example.txt config/allowed-emails.txt   # add your email

# Start server + Cloudflare quick tunnel
docker compose --profile cloudflare-temp up --build
# Watch logs for the trycloudflare.com URL, then add it as an MCP server in Claude Settings/Connectors

Development

# Unit tests (mocked, no credentials needed)
npm test

# Integration tests (requires .env with real credentials)
npm run test:integration

# Inspect with the MCP inspector
npx @modelcontextprotocol/inspector node src/server.js

Building the desktop extension

npm run pack   # produces anylist-mcp.mcpb

Roadmap

  • Google OAuth — allow users to sign in to the HTTP MCP server with their Google account instead of a separate password.

Credits

AnyList API from a fork of anylist by @codetheweb.

Contributions welcome — feel free to open issues and pull requests.

Yorumlar (0)

Sonuc bulunamadi