MCP server for Wundervault — give AI agents zero-knowledge vault secrets without exposing plaintext keys. AGPL-3.0.
git clone https://github.com/wundervault/wundervault-mcp{
"mcpServers": {
"wundervault-mcp": {
"command": "node",
"args": ["/path/to/wundervault-mcp/dist/index.js"]
}
}
}Resumen de MCP Servers
# @wundervault/mcp-server
[](https://www.npmjs.com/package/@wundervault/mcp-server)
[](https://registry.modelcontextprotocol.io/v0/servers?search=wundervault)
[](LICENSE)
MCP server for [Wundervault](https://wundervault.com) zero-knowledge secret management. Exposes vault secrets to AI agents via the [Model Context Protocol](https://modelcontextprotocol.io) — secrets are decrypted server-side and never returned to the agent in plaintext.
## Install
```bash
npm install -g @wundervault/mcp-server
```
## Quick Start
```json
{
"mcpServers": {
"wundervault": {
"command": "wundervault-mcp",
"env": {
"WUNDERVault_AGENT_VAULT_URL": "https://wundervault.com",
"WUNDERVault_AGENT_VAULT_API_KEY": "wv_agent_<AGENT_ID>|<KEY_SUFFIX>",
"WUNDERVault_AGENT_KEY": "<BASE64_ENCRYPTION_KEY>"
}
}
}
}
```
Or using a credentials file:
```bash
wundervault-mcp --credentials ~/.wundervault/creds.json
```
## Security Model
- **Zero-knowledge:** The encryption key lives only in the MCP server process. The Wundervault server never sees it.
- **Burn-after-reading:** Plaintext secrets are never returned to the calling agent. After decryption, the agent receives only `"Secret retrieved and burned."`.
- **Exec scrubbing:** If you use the `exec` parameter, stdout/stderr are scrubbed of the plaintext before being returned.
- **Directive integrity:** Server-side directive signatures (PBKDF2-HMAC-SHA256, 600k iterations) are verified before any secret is released.
- **Timing-safe:** HMAC comparison uses `crypto.timingSafeEqual`.
## Tools
### `vault_entries_list`
List all vault entries available to this agent. Returns entry IDs and secret names — no values.
```
Input: {}
Output: "Vault entries (N):\n [entry_id] secret_name (tier: read)"
```
### `vault_entry_get`
Retrieve and decrypt a vault secret. Optionally execute a command with it.
```
Input:
entry_id: string # from vault_entries_list
purpose: string # audit log reason
exec?: string # optional shell command
Output: "Secret retrieved and burned." (plaintext NEVER returned)
```
**Secure exec pattern** (sudo example):
```bash
sudo -S systemctl restart nginx <<< "$WUNDERVault_SECRET"
```
Do NOT use `echo $WUNDERVault_SECRET | sudo -S` — that exposes the secret in process logs.
### `vault_entry_forget`
Discard a local reference. No-op on the server.
```
Input: { entry_id: string }
Output: "Reference [id] discarded from local context."
```
## Credential Loading Priority
1. CLI flags (`--api-key`, `--enc-key`, `--url`)
2. Environment variables (`WUNDERVault_AGENT_VAULT_API_KEY`, `WUNDERVault_AGENT_KEY`, `WUNDERVault_AGENT_VAULT_URL`)
3. `WUNDERVault_CREDENTIALS_FILE` env var (explicit path)
4. `~/.wundervault/creds.json`
5. `~/.config/wundervault/credentials` (XDG)
### Credentials file format
```json
{
"agent_vault_url": "https://wundervault.com",
"agent_vault_api_key": "wv_agent_<ID>|<SUFFIX>",
"agent_encryption_key": "<BASE64_URL_SAFE_32_BYTES>"
}
```
## CLI Options
```
wundervault-mcp [options]
--api-key <key> Agent API key
--enc-key <key> Encryption key (base64 URL-safe)
--url <url> API base URL (default: https://wundervault.com)
--credentials <f> Path to credentials JSON file
--help Show help
```
## Building from source
```bash
git clone https://github.com/wundervault/wundervault-mcp.git
cd wundervault-mcp
npm install
npm run build # compiles TypeScript to dist/
npm test # run the test suite
```
## License
Licensed under the **GNU Affero General Public License v3.0 or later** (`AGPL-3.0-or-later`). See [LICENSE](LICENSE).
Wundervault is **open-core**: this MCP server and the client are open source; the hosted service at [wundervault.com](https://wundervault.com) is a commercial offering. For commercial or hosting inquiries, get in touch via [wundervault.com/contact](https://wundervault.com/contact).
Lo que la gente pregunta sobre wundervault-mcp
¿Qué es wundervault/wundervault-mcp?
+
wundervault/wundervault-mcp es mcp servers para el ecosistema de Claude AI. MCP server for Wundervault — give AI agents zero-knowledge vault secrets without exposing plaintext keys. AGPL-3.0. Tiene 0 estrellas en GitHub y se actualizó por última vez today.
¿Cómo se instala wundervault-mcp?
+
Puedes instalar wundervault-mcp clonando el repositorio (https://github.com/wundervault/wundervault-mcp) o siguiendo las instrucciones del README en GitHub. ClaudeWave también te ofrece bloques de instalación rápida en esta misma página.
¿Es seguro usar wundervault/wundervault-mcp?
+
wundervault/wundervault-mcp aún no ha sido auditado por nuestro agente de seguridad. Revisa el repositorio original en GitHub antes de usarlo en producción.
¿Quién mantiene wundervault/wundervault-mcp?
+
wundervault/wundervault-mcp es mantenido por wundervault. La última actividad registrada en GitHub es de today, con 0 issues abiertos.
¿Hay alternativas a wundervault-mcp?
+
Sí. En ClaudeWave puedes explorar mcp servers similares en /categories/mcp, ordenados por popularidad o actividad reciente.
Despliega wundervault-mcp en tu cloud
Lleva este repo a producción en minutos. Cada plataforma genera su propio entorno con variables de entorno editables.
¿Mantienes este repo? Añade un badge a tu README
Pega el badge en tu README de GitHub para mostrar que está auditado por ClaudeWave. Cada badge enlaza de vuelta a esta página y muestra el Trust Score actual.
[](https://claudewave.com/repo/wundervault-wundervault-mcp)<a href="https://claudewave.com/repo/wundervault-wundervault-mcp"><img src="https://claudewave.com/api/badge/wundervault-wundervault-mcp" alt="Featured on ClaudeWave: wundervault/wundervault-mcp" width="320" height="64" /></a>Más MCP Servers
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
User-friendly AI Interface (Supports Ollama, OpenAI API, ...)
An open-source AI agent that brings the power of Gemini directly into your terminal.
The fastest path to AI-powered full stack observability, even for lean teams.
🕷️ An adaptive Web Scraping framework that handles everything from a single request to a full-scale crawl!
⭐AI-driven public opinion & trend monitor with multi-platform aggregation, RSS, and smart alerts.🎯 告别信息过载,你的 AI 舆情监控助手与热点筛选工具!聚合多平台热点 + RSS 订阅,支持关键词精准筛选。AI 智能筛选新闻 + AI 翻译 + AI 分析简报直推手机,也支持接入 MCP 架构,赋能 AI 自然语言对话分析、情感洞察与趋势预测等。支持 Docker ,数据本地/云端自持。集成微信/飞书/钉钉/Telegram/邮件/ntfy/bark/slack 等渠道智能推送。