Netlify MCP Server
Official Netlify MCP server for managing projects, deploys, teams, extensions, and env vars
Score Breakdown
Server Info
- Package
- @netlify/mcp
- Registry
- npm
- Repository
- netlify/netlify-mcp
- Maintainer
- NetlifyVendor
- Category
- Cloud & Infrastructure
- Tags
- hostingdeploymentjamstack
- Last Scanned
- 7 Apr 2026
Findings
9 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
Dual transport: stdio (local) and StreamableHTTP (remote via Netlify Functions). Local mode reads Netlify CLI config for auth token or falls back to NETLIFY_PERSONAL_ACCESS_TOKEN env var; can also trigger 'netlify login' interactively. Remote mode has a full OAuth flow implemented in netlify/functions/ with OIDC provider, JWE token encryption (jose library), and a proxy edge function. Remote MCP expects Bearer token in Authorization header, which can be a Netlify access token (nfu/nfp/nfo prefix) or a JWE-encrypted token. The remote deployment also filters tools differently (omitFromRemoteMCP/omitFromLocalMCP flags).
Document the required OAuth scopes for each tool.
Tool Schema Quality
HIGHRequired fields missing on 3 write operations
Write tools without required field declarations: deploy-site, create-new-project, initialize-database.
Add required arrays to all write/delete tool schemas.
Permission Granularity
MEDIUM1 tools combine read and write operations
Tools are categorized by readOnlyHint annotation into read and write groups. They are registered as grouped domain tools (e.g., netlify-project-services-reader, netlify-project-services-updater) which bundles multiple operations under a single tool name with a selector schema. manage-form-submissions is mixed (get-submissions reads, delete-submission writes). There are no explicit admin/destructive tools. No project deletion tool exists. In grouped mode, descriptions are auto-generated and generic (e.g., 'Select and run one of the following Netlify read operations'). In verbose mode (--verbose flag), each tool is registered individually with slightly more specific descriptions.
Split into separate read and write tools.
LOWTool descriptions lack resource scope
Descriptions don't specify what data types or resources they access.
Add resource type statements to descriptions.
LLM Safety
MEDIUM4 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM3 list operations lack pagination
get-projects uses API-level pagination (page/page_size up to 100 pages, with 22s timeout). manage-form-submissions has limit/offset parameters. When >20 sites returned, get-projects automatically reduces response to essential fields (id, name, url, teamId). get-teams, get-extensions, get-forms-for-project have no pagination. Full records returned otherwise.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
MEDIUM14 dependency vulnerabilities (9 high)
npm audit found 9 high severity CVEs.
Update vulnerable dependencies.
Tools
20 total| Name | Description | Risk |
|---|---|---|
| netlify-coding-rules | ALWAYS call when writing serverless or Netlify code. required step before creating or editing any type of functions, Netlify sdk/library usage, etc. | read |
| get-user | get-user operation for Netlify user (read-only) | read |
| get-teams | get-teams operation for Netlify team (read-only) | read |
| get-team | get-team operation for Netlify team (read-only) | read |
| get-project | get-project operation for Netlify project (read-only) | read |
| get-projects | get-projects operation for Netlify project (read-only) | read |
| get-forms-for-project | get-forms-for-project operation for Netlify project (read-only) | read |
| get-deploy | get-deploy operation for Netlify deploy (read-only) | read |
| get-deploy-for-site | get-deploy-for-site operation for Netlify deploy (read-only) | read |
| get-extensions | get-extensions operation for Netlify extension (read-only) | read |
| get-full-extension-details | get-full-extension-details operation for Netlify extension (read-only) | read |
| deploy-site | deploy-site operation for Netlify deploy | write |
| create-new-project | create-new-project operation for Netlify project | write |
| update-project-name | update-project-name operation for Netlify project | write |
| update-visitor-access-controls | update-visitor-access-controls operation for Netlify project | write |
| update-forms | update-forms operation for Netlify project | write |
| manage-form-submissions | manage-form-submissions operation for Netlify project | write |
| manage-env-vars | manage-env-vars operation for Netlify project | write |
| change-extension-installation | change-extension-installation operation for Netlify extension | write |
| initialize-database | initialize-database operation for Netlify extension | write |
Deploy Netlify MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow