Square MCP Server
MCP server for the Square payments and commerce API, auto-generated from OpenAPI spec
Score Breakdown
Server Info
- Package
- square-mcp-server
- Registry
- npm
- Repository
- square/square-mcp-server
- Maintainer
- CommunityVendor
- Category
- Finance & Payments
- Tags
- paymentsposcommerce
- Last Scanned
- 7 Apr 2026
Findings
9 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
Square launched a hosted remote MCP server at mcp.squareup.com/sse using OAuth 2.1 with per-application scoped authorization, now the recommended connection method over the legacy ACCESS_TOKEN env-var mode. The repository is auto-generated from Square's OpenAPI spec under the official Square org.
Document the required OAuth scopes for each tool.
Tool Schema Quality
MEDIUMOnly 0 of 3 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: make_api_request accepts arbitrary service/method/request combinations with a passthrough object schema (z.object({}).passthrough()), bypassing all input validation. Any Square API endpoint including payments, customer deletion, and webhook management can be called through a single tool.
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
Extremely poor permission granularity. A single make_api_request tool handles ALL operations across 38 services including reads (list payments), writes (create payments, charge cards), and admin (delete customers, manage webhooks, manage OAuth tokens). The DISALLOW_WRITES flag provides some protection by checking isWrite on the method info, but there is no per-service or per-operation access control. The LLM must navigate service/method names correctly to avoid destructive actions.
Split into separate read and write tools.
HIGH1 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LOWTool descriptions lack resource scope
Descriptions don't specify what data types or resources they access.
Add resource type statements to descriptions.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
HIGH8 dependency vulnerabilities (1 critical, 3 high)
npm audit found 1 critical and 3 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
3 total| Name | Description | Risk |
|---|---|---|
| make_api_request | Unified tool for all Square API operations. Be sure to get types before calling. Available services: applepay, bankaccounts, bookingcustomattributes, bookings, cards, cashdrawers, catalog, checkout, customercustomattributes, customergroups, customersegments, customers, devices, disputes, events, giftcardactivities, giftcards, inventory, invoices, labor, locationcustomattributes, locations, loyalty, merchantcustomattributes, merchants, oauth, ordercustomattributes, orders, payments, payouts, refunds, sites, snippets, subscriptions, team, terminal, vendors, webhooksubscriptions. | admin |
| get_type_info | Get type information for a Square API method. You must call this before calling the make_api_request tool. | read |
| get_service_info | Get information about a Square API service. Call me before trying to get type info | read |
Deploy Square MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow