Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
mcp-executor
Artifacts are distributable versions of a package. It typically includes the source code and metadata
Advanced tools
mcp-executor
Run a FastMCP proxy that lists and invokes every MCP tool from the CLI or an HTTP server.
- Version
- 0.1.0
- Maintainers
- 1
mcp-executor
mcp-executor is a lightweight FastMCP driver that discovers every MCP tool
exposed by your configured backends, prints Python-like signatures, and lets you
invoke them either from the command line or through a minimal FastMCP server.
Why use it?
- 📋 Discoverability: Generate readable signatures for every tool so you know which arguments to pass.
- ⚡ Fast iteration: Jump between running the HTTP/stdio server and issuing one-off tool calls without reconfiguring clients.
- 🧰 Batteries included: Ships with a
uv-first workflow for building, testing, and publishing to PyPI.
Installation
pip install mcp-executor
or, if you prefer the uv toolchain:
uv tool install mcp-executor
Configuration
Point the CLI at an MCP client definition. Copy mcp.json.example into your
workspace, adjust the upstream server definitions, and pass the path with
-c/--config.
cp mcp.json.example ~/.config/mcp-executor/mcp.json
Usage
List available tools and inspect their signatures:
mcp-executor list -c ~/.config/mcp-executor/mcp.json
Call a tool directly:
mcp-executor call -c ~/.config/mcp-executor/mcp.json weather --arg city="Lisbon"
Run the FastMCP server (HTTP by default):
mcp-executor serve -c ~/.config/mcp-executor/mcp.json --transport http --host 0.0.0.0 --port 23456
Every command shares the --config option so you can point at different MCP
client definitions per invocation.
Local development
uv venv --seed
uv sync
uv run mcp-executor list -c mcp.json.example
The repository still ships main.py so you can run ./main.py list ... directly
with uv run if you prefer scripting locally.
Releasing with uv
- Bump
versioninsidepyproject.toml. - Build and verify the artifacts:
uv build uv run python -m mcp_executor.cli --help - Publish to PyPI with an API token (create one under your PyPI account and
store it securely):
export PYPI_API_TOKEN="pypi-xxxxxxxxxxxxxxxxxxxxxxxx" uv publish --token "$PYPI_API_TOKEN" - Tag the release in git and push (
git tag v0.1.1 && git push --tags).
GitHub Action publish workflow
The repository includes .github/workflows/publish.yml, which builds the wheel
and sdist via uv build and calls uv publish --token $PYPI_API_TOKEN. Add a
PYPI_API_TOKEN secret (scoped to “Publish to PyPI”) in your repository settings
and trigger the workflow from the Actions tab or by creating a GitHub Release.
Keywords
FAQs
Run a FastMCP proxy that lists and invokes every MCP tool from the CLI or an HTTP server.
We found that mcp-executor demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025