npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

squads-mcp

v0.1.0

Published

Secure MCP implementation for Squads multisig management on Solana blockchain

Downloads

17

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

dhruv20xdhruv20x

Keywords

solanablockchainmultisigsquadsmcpmodel-context-protocol

Readme

Squads MCP: Secure Multisig Management for Solana

Squads MCP

A secure Model Context Protocol (MCP) implementation for Squads multisig management on Solana blockchain. This toolkit prioritizes security at every step while enabling LLMs to safely interact with multisig accounts.

🔐 Security-First Design

Squads MCP implements multiple security layers to protect your assets and multisig operations:

  • Local Private Key Storage: Keys never leave your device, unlike web wallets or browser extensions
  • Permission Separation: Distinct INITIATE, EXECUTE, and VOTE roles prevent single-point compromise
  • Time Lock Support: Configure mandatory waiting periods before sensitive transactions execute
  • Comprehensive Security Auditing: Built-in AUDIT_MULTISIG_SECURITY tool scores your configuration
  • Security-Focused Schemas: Every tool includes explicit security warnings and verification steps
  • Threshold Recommendations: Smart defaults for different multisig types (Reserve, Operations, etc.)
  • Secure Connection Management: Easily switch between networks for testing and production

📋 Features

Multisig Management

  • Create new multisig accounts with customizable permissions
  • Import existing multisig accounts
  • Audit multisig security with detailed recommendations
  • Configure thresholds, permissions, and time locks

Transaction Handling

  • Create and manage proposals
  • Vote on proposals (approve/reject)
  • Execute approved transactions
  • Cancel pending proposals

Asset Management

  • View SOL and token balances in vaults
  • Transfer SOL from vaults
  • Fund vaults

🛡️ Security Best Practices

The implementation promotes Squads security best practices:

  1. Separation of Duties:

    • Keep INITIATE and EXECUTE roles separate
    • Avoid giving ALL permissions to any member

  2. Proper Thresholds:

    • For Reserve multisigs: 6+ members, 4+ threshold
    • For Program Upgrade multisigs: 6+ members, 4+ threshold
    • For Operations multisigs: 3+ members, 2+ threshold

  3. Time Locks:

    • Reserve: 3600+ seconds (1 hour)
    • Program Upgrade: 600+ seconds (10 minutes)
    • Operations: 300+ seconds (5 minutes)

  4. Hardware Security:

    • Use hardware wallets for critical multisigs
    • Consider multiple hardware wallet vendors

🔧 How It Works

This project leverages the Model Context Protocol (MCP) to enable secure interaction between LLMs and Squads multisig functionality. MCP provides a standardized way for AI models to use external tools while maintaining security and context.

┌─────────┐    ┌──────────────┐    ┌────────────┐    ┌────────┐
│   LLM   │<-->│ MCP Protocol │<-->│ Squads MCP │<-->│ Solana │
└─────────┘    └──────────────┘    └────────────┘    └────────┘

🚀 Getting Started

Prerequisites

  • Node.js v16+
  • Solana CLI tools (optional)
  • A Solana wallet (preferably a hardware wallet for production use)

Installation

git clone https://github.com/dorkydhruv/squads-mcp.git
cd squads-mcp
pnpm install
pnpm build

Configuration for claude_desktop_config.json

{
  "mcpServers": {
    "squads-mcp": {
      "command": "node",
      "args": [
        "/ABSOLUTE/PATH/TO/YOUR/MCP/PROJECT/FILE" // e.g ~/Projects/squads-mcp/dist/index.js
      ]
    }
  }
}

📚 Available Tools

Configuration Tools

  • CONNECTION_UPDATE: Set Solana connection
  • SHOW_CONFIG: Display current configuration

Squads Multisig Tools

  • CREATE_SQUADS_MULTISIG: Create a new multisig
  • IMPORT_SQUADS_MULTISIG: Import existing multisig
  • GET_MULTISIG_ACCOUNT: View multisig details
  • AUDIT_MULTISIG_SECURITY: Security audit with recommendations

Proposal Management

  • CREATE_PROPOSAL: Create a new proposal
  • APPROVE_PROPOSAL: Vote to approve a proposal
  • REJECT_PROPOSAL: Vote to reject a proposal
  • CANCEL_PROPOSAL: Cancel a pending proposal
  • GET_PROPOSAL: View a specific proposal
  • GET_PROPOSALS: List all proposals

Transaction Execution

  • EXECUTE_CONFIG_TRANSACTION: Execute configuration changes
  • EXECUTE_VAULT_TRANSACTION: Execute vault transactions

Asset Management

  • GET_ASSETS: View assets in a multisig vault
  • FUND_VAULT: Send SOL to a vault
  • TRANSFER_SOL_FROM_VAULT: Send SOL from a vault

🔒 Security Recommendations

  1. Always verify addresses: Double-check multisig addresses before operations
  2. Follow the two-minute rule: Wait at least 2 minutes after approvals before executing critical transactions
  3. Run regular security audits: Use AUDIT_MULTISIG_SECURITY after any configuration changes
  4. Implement proper access control: Separate proposal creation from execution roles
  5. Use secure devices: Perform sensitive operations on dedicated, secure devices
  6. Consider transaction simulation: Test critical transactions in a safe environment first

🧩 Protocol Overview: Model Context Protocol (MCP)

This project is built on the Model Context Protocol (MCP), an open protocol for secure, context-aware automation and agent workflows. MCP enables tools and agents (including LLMs) to interact with user data and actions in a controlled, auditable, and privacy-preserving way. By leveraging MCP, Squads MCP ensures that all tool invocations are contextually validated and logged, reducing the risk of unauthorized or unintended actions.

🛡️ Additional Security Considerations

  • No Third-Party Custody: All private keys are managed and stored locally. There is no cloud sync, remote backup, or third-party custody, minimizing the risk of remote compromise.
  • Direct Solana RPC Usage: All blockchain interactions are performed directly from your environment, with no intermediaries or delegated signing. Only the locally stored private key is used for signing transactions, and only with explicit user action.
  • Transparency and Auditability: Tools like SHOW_CONFIG, GET_MULTISIG_ACCOUNT, and GET_PROPOSALS provide full visibility into your configuration, multisig state, and proposal history, supporting transparency and review.
  • Explicit Security Warnings: Tool schemas and prompts include explicit warnings and verification steps (e.g., "Double-check this address", "Use a hardware wallet for large amounts").
  • Operational Security Guidance: The built-in audit tool provides actionable recommendations, such as using hardware wallets, segmenting treasuries, and rotating keys. Time lock checks enforce best practices for critical accounts.
  • No Implicit Actions: All actions require explicit invocation and confirmation, reducing the risk of accidental or automated misuse.
  • Minimal Attack Surface: The codebase is designed to minimize dependencies and avoid unnecessary network exposure. Only essential ports and endpoints are enabled.

🧑‍💻 Developer Notes

  • All tools are registered in src/tools/index.ts and exposed via the MCP server.
  • The codebase is modular, making it easy to extend with new tools or adapt to future MCP or Squads protocol updates.
  • Security is a process: regularly review, audit, and update your configuration and dependencies.

📕 Aditional Resources