Square MCP Server
MCP server for the Square payments and commerce API, auto-generated from OpenAPI spec
Score Breakdown
Server Info
- Package
- square-mcp-server
- Registry
- npm
- Repository
- square/square-mcp-server
- Maintainer
- Community
- Category
- Finance & Payments
- Tags
- paymentsposcommerce
- Last Scanned
- 7 Apr 2026
Findings
9 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Stdio-only transport. Auth to Square API via ACCESS_TOKEN env var passed as Bearer token. Supports sandbox mode (SANDBOX=true) vs production. Has DISALLOW_WRITES env var that blocks write operations. No MCP OAuth or HTTP transport. The install command auto-configures Claude Desktop and Goose config ... For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
MEDIUMOnly 0 of 3 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: make_api_request accepts arbitrary service/method/request combinations with a passthrough object schema (z.object({}).passthrough()), bypassing all input validation. Any Square API endpoint including payments, customer deletion, and webhook management can be called through a single tool.
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
Extremely poor permission granularity. A single make_api_request tool handles ALL operations across 38 services including reads (list payments), writes (create payments, charge cards), and admin (delete customers, manage webhooks, manage OAuth tokens). The DISALLOW_WRITES flag provides some protection by checking isWrite on the method info, but there is no per-service or per-operation access control. The LLM must navigate service/method names correctly to avoid destructive actions.
Split into separate read and write tools.
HIGH1 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LOWTool descriptions lack resource scope
Descriptions don't specify what data types or resources they access.
Add resource type statements to descriptions.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
HIGH8 dependency vulnerabilities (1 critical, 3 high)
npm audit found 1 critical and 3 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
3 total| Name | Description | Risk |
|---|---|---|
| make_api_request | Unified tool for all Square API operations. Be sure to get types before calling. Available services: applepay, bankaccounts, bookingcustomattributes, bookings, cards, cashdrawers, catalog, checkout, customercustomattributes, customergroups, customersegments, customers, devices, disputes, events, giftcardactivities, giftcards, inventory, invoices, labor, locationcustomattributes, locations, loyalty, merchantcustomattributes, merchants, oauth, ordercustomattributes, orders, payments, payouts, refunds, sites, snippets, subscriptions, team, terminal, vendors, webhooksubscriptions. | admin |
| get_type_info | Get type information for a Square API method. You must call this before calling the make_api_request tool. | read |
| get_service_info | Get information about a Square API service. Call me before trying to get type info | read |
Deploy Square MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow