F
Fine-tuned Disable Risky Servers
Battle-tested setting for disable, specific, servers, pose. Includes structured workflows, validation checks, and reusable patterns for mcp.
SettingClipticsmcpv1.0.0MIT
0 views0 copies
Fine-tuned Disable Risky Servers
Blacklist specific MCP servers that pose security risks or are unnecessary for your workflow.
When to Use This Setting
Apply this setting when you need to:
- Block known problematic MCP servers while allowing all other servers to function normally
- Create a security boundary that prevents specific integrations from accessing your development environment
- Maintain a curated deny list of servers identified as risky by your security team Consider alternatives when:
- You prefer a whitelist approach where only explicitly approved servers are enabled
- You need to disable all MCP servers entirely rather than selectively blocking specific ones
Quick Start
Configuration
name: fine-tuned-disable-risky-servers type: setting category: mcp
Example Application
claude setting:apply fine-tuned-disable-risky-servers
Example Output
Setting applied. Changes:
- disabledMcpjsonServers: ["web-scraper", "system-admin", "network-tools"]
- All other MCP servers remain active
Core Concepts
MCP Server Security Overview
| Aspect | Details |
|---|---|
| Blacklist Approach | Explicitly named servers are blocked; all others are allowed by default |
| Server Identification | Servers are identified by their name as defined in .mcp.json configuration |
| Risk Categories | Servers with system access, network capabilities, or data exfiltration potential |
| Scope | Applies to all .mcp.json files discovered in the project and user configuration |
Server Filtering Architecture
+---------------------------+
| .mcp.json Discovery |
+---------------------------+
| Available Servers: |
| - memory [OK] |
| - github [OK] |
| - filesystem [OK] |
| - web-scraper [DENY] |
| - system-admin [DENY] |
| - network-tools [DENY] |
+---------------------------+
|
+----+----+
| |
v v
Allowed Blocked
Servers Servers
(active) (disabled)
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
| disabledMcpjsonServers | array | [] | List of MCP server names to disable from .mcp.json files |
| disabledMcpjsonServers[0] | string | "web-scraper" | Example blocked server with web scraping capabilities |
| disabledMcpjsonServers[1] | string | "system-admin" | Example blocked server with system administration access |
| disabledMcpjsonServers[2] | string | "network-tools" | Example blocked server with network scanning capabilities |
| description | string | N/A | Explanation of the security rationale for blocking these servers |
Best Practices
- Document why each server is blocked - Maintain a companion document explaining the security rationale for each blocked server. This prevents team members from removing entries without understanding the risk.
- Review the deny list when adding new MCP servers - Each time a new server is added to your .mcp.json, cross-reference it against your security criteria. New servers may introduce capabilities that warrant blocking.
- Combine with network monitoring - MCP servers execute as separate processes. Even with this setting applied, monitor network traffic from your development machine to detect bypass attempts.
- Test server functionality after blocking - Some MCP servers have dependencies on other servers. Blocking one server may cause unexpected failures in another. Test your workflow after applying changes.
- Use the whitelist approach for high-security environments - If your security requirements are strict, consider the enable-specific-servers setting instead, which blocks everything by default and only allows explicitly named servers.
Common Issues
- Server name mismatch - The server name in disabledMcpjsonServers must exactly match the key in your .mcp.json file. Check for typos, case sensitivity, and naming conventions.
- Blocked server still accessible - If a server appears in multiple .mcp.json files with different names, the deny list may not catch all instances. Audit all configuration files for alternative registrations.
- Essential functionality lost after blocking - Some servers provide capabilities that other tools depend on. If workflows break after applying the deny list, check whether blocked servers were providing indirect services.
Community
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
#
Project Standards Config
Claude Code settings preset that enforces consistent coding standards. Configures TypeScript strict mode, ESLint rules, Prettier formatting, and naming conventions.
Setting
00
View →#
Bedrock Configuration Blueprint
All-in-one setting covering configure, claude, code, amazon. Includes structured workflows, validation checks, and reusable patterns for api.
Setting
00
View →#
Refined Corporate Preset
Production-ready setting that handles configure, proxy, settings, corporate. Includes structured workflows, validation checks, and reusable patterns for api.
Setting
00
View →