MCP Observatory
github analyzed 9468d81

icoretech/warden-mcp

github

🔐 Streamable HTTP + stdio MCP server for Vaultwarden/Bitwarden

maintainer
icoretech
license
MIT
first seen
2026-06-06
last seen
2026-06-17
releases · 30d
6
short id

Drift inferred · capture-to-capture

  1. HIGH code analysis flagged committed secret in icoretech/warden-mcp
capabilities 25 tools
transport stdio · streamable-http · http counts 25 tools · 0 res · 0 prompts permission surface via code analysis

tools

  • keychain_create_attachment

    , keychain_delete_attachment, keychain_get_attachment

  • keychain_create_login

    , keychain_create_note, keychain_create_card, keychain_create_identity, keychain_create_ssh_key

  • keychain_delete_item

    , keychain_restore_item

  • keychain_encode

    (base64-encode a string via bw encode)

  • keychain_generate

    (returns a generated secret only when reveal: true)

  • keychain_get_attachment

    accepts an attachment id or an unambiguous filename and returns { filename, bytes, contentBase64 }; decode contentBase64 locally when you need the original file bytes

  • keychain_get_folder

    , keychain_get_collection, keychain_get_organization, keychain_get_org_collection

  • keychain_get_item

    exposes safe attachment metadata (id, fileName, size) while redacting signed download URLs, so clients can discover the exact attachment id before downloading

  • keychain_get_password

    / keychain_get_totp / keychain_get_notes (only return real values when reveal: true)

  • keychain_get_password_history

    (only returns historic passwords when reveal: true)

  • keychain_get_uri

    , keychain_get_exposed

  • keychain_get_username

    (returns { kind:"username", value, revealed:true })

  • keychain_list_folders

    , keychain_create_folder, keychain_edit_folder, keychain_delete_folder

  • keychain_list_org_collections

    , keychain_create_org_collection, keychain_edit_org_collection, keychain_delete_org_collection

  • keychain_list_organizations

    , keychain_list_collections

  • keychain_move_item_to_organization

    moves an item out of the personal vault and into an organization, optionally assigning collection ids at the same time.

  • keychain_receive
  • keychain_sdk_version

    (returns the Bitwarden SDK version used by the CLI)

  • keychain_search_items

    , keychain_get_item, keychain_update_item

  • keychain_send_create

    is the quick path for text or file Sends through the normal bw send flags. keychain_send_template, keychain_send_create_encoded, and keychain_send_edit are for the full Bitwarden Send JSON template or

  • keychain_send_create_encoded

    , keychain_send_edit (advanced create/edit via bw send create

  • keychain_send_list

    , keychain_send_template, keychain_send_get

  • keychain_send_remove_password

    , keychain_send_delete

  • keychain_status
  • keychain_sync

    (pull latest vault data from server via bw sync)

skills & danger signals github-tarball
prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed commit 9468d81 · analyzer v18 · 10h ago

skills & prompt files 1

code evidence vv0.2.26 · github-tarball
evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 7

  • fs icoretech-warden-mcp-9468d81/bin/patch-bitwarden-cli-lib.js :1 import { readFileSync, writeFileSync } from 'node:fs';
  • fs icoretech-warden-mcp-9468d81/bin/warden-mcp.js :5 import { existsSync } from 'node:fs';
  • fs icoretech-warden-mcp-9468d81/scripts/vaultwarden-bootstrap.mjs :1 import fs from 'node:fs/promises';
  • fs icoretech-warden-mcp-9468d81/src/bw/bwPool.ts :4 import { mkdir } from 'node:fs/promises';
  • fs icoretech-warden-mcp-9468d81/src/bw/bwSession.ts :3 import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
  • fs icoretech-warden-mcp-9468d81/src/bw/resolveBwBin.ts :1 import { accessSync, constants, readFileSync } from 'node:fs';
  • fs icoretech-warden-mcp-9468d81/src/sdk/keychainSdk.ts :3 import { mkdtemp, readFile, rm, writeFile } from 'node:fs/promises';

shell / exec 2

  • shell icoretech-warden-mcp-9468d81/src/bw/bwCli.ts :3 import { spawn } from 'node:child_process';
  • shell icoretech-warden-mcp-9468d81/src/startup/bwStartup.ts :1 import { spawnSync } from 'node:child_process';

network 2

  • net icoretech-warden-mcp-9468d81/scripts/session-flood-regression.mjs :46 const response = await fetch(sseUrl, {
  • net icoretech-warden-mcp-9468d81/src/transports/http.ts :4 import type { IncomingMessage, ServerResponse } from 'node:http';

secrets 8

  • secrets icoretech-warden-mcp-9468d81/scripts/session-flood-regression.mjs :8 const baseUrl = (process.env.KEYCHAIN_FLOOD_BASE_URL ?? 'http://127.0.0.1:3005')
  • secrets icoretech-warden-mcp-9468d81/scripts/vaultwarden-bootstrap.mjs :21 const apiKeyEnvFile = (process.env.VW_APIKEY_ENV_FILE ?? '').trim();
  • secrets icoretech-warden-mcp-9468d81/src/bw/bwCli.ts :98 (process.env.KEYCHAIN_DEBUG_BW ?? 'false').toLowerCase() === 'true';
  • secrets icoretech-warden-mcp-9468d81/src/bw/bwSession.ts :59 const clientSecret = process.env.BW_CLIENTSECRET;
  • secrets icoretech-warden-mcp-9468d81/src/sdk/keychainSdk.ts :330 (process.env.KEYCHAIN_SYNC_ON_WRITE ?? 'true').toLowerCase() === 'true'
  • secrets icoretech-warden-mcp-9468d81/src/tools/registerTools.ts :81 process.env.KEYCHAIN_TEXT_COMPAT_MODE?.trim().toLowerCase();
  • secrets icoretech-warden-mcp-9468d81/src/transports/http.ts :56 parsePositiveInt(process.env.KEYCHAIN_SESSION_TTL_MS, 15 * 60 * 1000);
  • secrets icoretech-warden-mcp-9468d81/src/transports/stdio.ts :21 process.env.KEYCHAIN_BW_HOME_ROOT ??

install hooks 1

  • postinstall icoretech-warden-mcp-9468d81/package.json :37 node bin/patch-bitwarden-cli.js

declared dependencies 10

  • @modelcontextprotocol/sdk@^1.29.0
  • express@^5.2.1
  • zod@^4.4.3
  • @biomejs/biome@^2.5.0
  • @types/express@^5.0.6
  • @types/node@^25.9.3
  • playwright@1.61.0
  • tsx@^4.22.4
  • typescript@^6.0.3
  • @bitwarden/cli@2026.5.0