
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@selfagency/git-mcp
Advanced tools
A Git MCP server that doesn't suck
Exposes the full Git workflow to any MCP-compatible AI client — inspect, write, branch, remote, stash, rebase, LFS, git-flow, documentation lookup, and more. Designed to be safe by default, composable, and fast. Powered by simple-git.
git-flow CLIrepo_path per-call or configure a server-level defaultnpx @selfagency/git-mcp --repo-path /path/to/your/repo
npm install -g @selfagency/git-mcp
git-mcp --repo-path /path/to/your/repo
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"git": {
"command": "npx",
"args": ["-y", "@selfagency/git-mcp", "--repo-path", "/path/to/your/repo"]
}
}
}
Add to .vscode/mcp.json in your project:
{
"servers": {
"git": {
"command": "npx",
"args": ["-y", "@selfagency/git-mcp", "--repo-path", "${workspaceFolder}"]
}
}
}
All configuration is via environment variables. Pass them in your MCP client config:
| Variable | Default | Description |
|---|---|---|
GIT_REPO_PATH | — | Default repository path (also: --repo-path CLI arg) |
GIT_ALLOW_NO_VERIFY | false | Allow --no-verify on commit/push (bypasses hooks) |
GIT_ALLOW_FORCE_PUSH | false | Allow --force on push |
GIT_AUTO_SIGN_COMMITS | false | Automatically sign every commit |
GIT_AUTO_SIGN_TAGS | false | Automatically sign every tag |
GIT_SIGNING_KEY | — | Default GPG key ID or SSH key path |
GIT_SIGNING_FORMAT | — | Signing format: openpgp, ssh, or x509 |
| Tool | Description |
|---|---|
git_status | Working tree and branch status |
git_log | Commit history with filters and pagination |
git_show | Patch and metadata for any ref |
git_diff | Unstaged, staged, or ref-to-ref diff |
git_blame | Line-level author attribution |
git_reflog | HEAD movement history for recovery |
| Tool | Description |
|---|---|
git_add | Stage files |
git_restore | Restore paths from index or a source ref |
git_commit | Create commits (amend, sign, no-verify) |
git_reset | Soft/mixed/hard reset |
git_revert | Safe undo via revert commit |
| Tool | Description |
|---|---|
git_list_branches | List local or all branches |
git_create_branch | Create branch from HEAD or ref |
git_delete_branch | Delete a local branch |
git_rename_branch | Rename a branch |
git_checkout | Switch to branch, tag, or commit |
git_set_upstream | Set upstream tracking |
| Tool | Description |
|---|---|
git_remote | Add, remove, or set-url for a remote |
git_fetch | Fetch with optional pruning |
git_pull | Pull with merge or rebase |
git_push | Push (force-with-lease, force, no-verify) |
| Tool | Description |
|---|---|
git_stash | Save, list, apply, pop, or drop stashes |
git_rebase | Start, continue, skip, or abort rebase |
git_cherry_pick | Start, continue, or abort cherry-pick |
git_bisect | Binary search to find regressions |
git_tag | List, create, or delete tags (with signing) |
git_worktree | Add, list, or remove worktrees |
git_submodule | Add, list, update, or sync submodules |
| Tool | Description |
|---|---|
git_context_summary | High-signal repo summary for LLM workflows |
git_search | Pickaxe + grep across history |
git_get_config | Read git config values |
git_set_config | Write repository-local git config |
| Tool | Description |
|---|---|
git_lfs | Track patterns, pull/push objects, install hooks, migrate |
| Tool | Description |
|---|---|
git_flow | Init, feature, release, hotfix, support workflows |
| Tool | Description |
|---|---|
git_docs | Search git-scm.com or fetch man pages |
URI-addressable read-only snapshots (subscribe-capable):
| Resource URI | Content |
|---|---|
git+repo://status/{repo_path} | Working tree status (JSON) |
git+repo://log/{repo_path} | Recent commit log (JSON) |
git+repo://branches/{repo_path} | Branch list (JSON) |
git+repo://diff/{repo_path} | Unstaged + staged diff (JSON) |
# Clone and install
git clone https://github.com/selfagency/git-mcp.git
cd git-mcp
pnpm install
# Run in development mode (hot reload)
pnpm dev
# Build
pnpm build
# Run tests
pnpm test
# Type check
pnpm typecheck
# Lint
pnpm lint
# Docs (dev server)
pnpm docs:dev
# Docs (build)
pnpm docs:build
destructiveHint: true in their MCP annotationsgit_reset --hard requires confirm=true--force) is disabled unless GIT_ALLOW_FORCE_PUSH=true--no-verify) is disabled unless GIT_ALLOW_NO_VERIFY=trueMIT © Daniel Sieradski
FAQs
A Git MCP server that doesn't suck
The npm package @selfagency/git-mcp receives a total of 15 weekly downloads. As such, @selfagency/git-mcp popularity was classified as not popular.
We found that @selfagency/git-mcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.