Skillget

sp500-mcp-server

mcp
Security Audit
Fail
Health Pass
  • License — License: AGPL-3.0
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 68 GitHub stars
Code Fail
  • spawnSync — Synchronous process spawning in apps/web-app/scripts/build-pages.js
  • process.env — Environment variable access in apps/web-app/scripts/build-pages.js
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This MCP server and Next.js web application query S&P 500 company data (such as financials, news, officers, and SEC filings) from a Supabase database. It exposes this data to AI models via standard MCP tools and includes a web UI for testing and browsing the information.

Security Assessment
The tool does not request dangerous system permissions or contain hardcoded secrets. It requires environment variables for database credentials, which is standard and safe practice. However, the automated scan flagged a synchronous process spawn (`spawnSync`) within a local build script (`apps/web-app/scripts/build-pages.js`). This is typically used for routine build tasks (like generating static files) and poses a low security risk, as it does not execute arbitrary user input or run dynamically during the application's runtime. The server makes network requests to your configured Supabase instance and optionally Redis for production scaling. Overall risk: Low.

Quality Assessment
The project is in excellent shape. It utilizes a modern, strict tech stack (TypeScript, React 19, Next.js 16) managed via Turborepo. It is actively maintained, with the most recent push occurring today. The codebase is licensed under AGPL-3.0, which is fully open-source but requires you to release the source code for any modified versions you distribute. With 68 GitHub stars, it is beginning to build solid community trust. It also features integration tests and strict linting, indicating high developer standards.

Verdict
Safe to use, provided you supply your own Supabase database and comply with the AGPL-3.0 license if you plan to modify and share the code.
SUMMARY

An MCP server and Next.js web app for querying S&P 500 company data from Supabase, with tools for company info, news, officers, and SEC filings, plus embedded MCP App UI resources, Elicitation, and Sampling support.

README.md

S&P 500 MCP Server

An MCP (Model Context Protocol) server and Next.js web app for querying S&P 500 company data from Supabase. It exposes MCP tools for company fundamentals, news sentiment, officers, and SEC filings, plus a web UI and embedded MCP App resources for browsing and testing those tools.

Tools

Tool Description
get_company_info Company basics, financials, leadership, address, and business summary
get_company_news Recent company news with sentiment filtering
get_company_officers Executive officers and compensation
get_company_filings SEC filings history, with filing type and date filters

search_companies is an internal symbol resolver, not an exposed MCP tool. User queries are resolved through getCompanySymbol.

Tech Stack

  • Workspace: pnpm 10.33.3 + Turborepo
  • Runtime: Node 22 (.nvmrc)
  • Web app: Next.js 16 App Router, React 19, TypeScript strict mode (apps/web)
  • MCP Apps: Vite single-file React pages built from apps/web-app and served as tool UI resources
  • MCP: mcp-handler at apps/web/app/[transport]/route.ts; /mcp is the active endpoint
  • Database: Supabase client at apps/web/app/[transport]/utils/supabase.ts
  • UI: shared shadcn/Tailwind primitives in packages/ui

Getting Started

Prerequisites

  • Node.js 22
  • pnpm 10
  • Supabase project with the S&P 500 data tables used by the tools

Local Development

  1. Install dependencies:
pnpm install
  1. Create a local env file with Supabase credentials:
SUPABASE_URL=your_supabase_url
SUPABASE_ANON_KEY=your_supabase_anon_key
MCP_MAX_DURATION=60
REDIS_URL=your_redis_url

SUPABASE_URL and SUPABASE_ANON_KEY are required. REDIS_URL is only needed for production SSE.

  1. Build the embedded MCP App HTML resources:
pnpm --filter @apps/web-app build
  1. Start the apps:
pnpm dev

The Next.js web app runs on http://localhost:3000; the MCP endpoint is http://localhost:3000/mcp. The apps/web-app dev server proxies /mcp to port 3000 when run separately.

Commands

pnpm dev        # Start apps/* dev tasks via Turbo
pnpm build      # Build apps/web and apps/web-app via Turbo
pnpm start      # Start production server for apps/web
pnpm type-check # Type-check apps/web and apps/web-app
pnpm lint       # ESLint + Prettier rule checks

Focused commands:

pnpm --filter @apps/web dev
pnpm --filter @apps/web-app dev
pnpm --filter @apps/web-app build
pnpm exec tsc -p apps/web/tsconfig.json --noEmit
pnpm exec tsc -p apps/web-app/tsconfig.json --noEmit
pnpm exec tsc -p packages/ui/tsconfig.json --noEmit

Testing

Tests are integration tests that connect a real MCP client to http://localhost:3000/mcp, so start the dev server first:

pnpm --filter @apps/web-app build
pnpm dev
pnpm test

Run a single tool test:

pnpm vitest run apps/web/tests/tools/get-company-info-tool.test.ts

Generate coverage:

pnpm coverage

Project Layout

apps/web/
  app/[transport]/route.ts      MCP GET/POST/DELETE handler
  app/[transport]/tools/        MCP tool registrations
  app/[transport]/utils/        Supabase, symbol resolution, summaries
  app/api/tools/call/route.ts   HTTP proxy for the web tool tester
  app/tools/                    Tool catalog page
  components/                   App-specific UI
  tests/tools/                  MCP integration tests
apps/web-app/
  src/pages/                    Embedded MCP App pages, one per tool
  src/components/               MCP App UI components
  scripts/build-pages.js        Builds each page into dist/*.html
  dist/                         Generated single-file HTML resources
packages/ui/
  src/components/               Shared shadcn UI primitives
  src/styles/globals.css        Shared Tailwind CSS

apps/web/app/[transport]/tools/app-resource.ts reads generated HTML from apps/web-app/dist, so rebuild apps/web-app after changing embedded MCP App pages.

Vercel Deployment

  • Requires Fluid compute
  • MCP_MAX_DURATION defaults to 60; set a higher duration for long-running production calls when your Vercel plan supports it
  • SSE is enabled (disableSse: false); production SSE requires Redis via REDIS_URL

Docs

Full guides and examples: https://sp500-mcp.vercel.app/

Contributing

Feel free to dive in! Open an issue or submit PRs.

Standard Readme follows the Contributor Covenant Code of Conduct.

Contributors

This project exists thanks to all the people who contribute.

License

GNU Affero General Public License v3.0 © MichaelSun

Reviews (0)

No results found