HAPI Strava MCP Server

7.0

Strava MCP tools for AI: athletes, activities, segments, clubs, routes. Powered by HAPI MCP server.

streamable-httpai-ml cloud

Installation

Claude Desktop config (remote)

{
  "mcpServers": {
    "ai-com-mcp-strava": {
      "type": "streamable-http",
      "url": "https://strava.run.mcp.com.ai/mcp"
    }
  }
}

Cursor config

{
  "mcpServers": {
    "ai-com-mcp-strava": {
      "url": "https://strava.run.mcp.com.ai/mcp"
    }
  }
}

Security Report

Score Breakdown

Description10

Permissions10

Behavior4

Stability--

Findings (7)

high

network-access

Remote HTTP Endpoint Without Visible Authentication

Server operates as a remote HTTP endpoint (streamable-http transport) at https://strava.run.mcp.com.ai/mcp. Remote servers accept connections from the internet and require authentication mechanisms to prevent unauthorized access. No authentication details are documented.

high

vague-description

Unclear Capability Scope

Description lists 5 Strava-related capabilities (athletes, activities, segments, clubs, routes) but provides no detail on what operations are supported (read-only vs. write), data access scope, or rate limiting. The phrase 'Powered by HAPI MCP server' is vague about actual functionality.

medium

excessive-scope

Broad Access to Personal Fitness Data

Server claims access to athletes, activities, segments, clubs, and routes—potentially including personal fitness data, location history, and social connections. Strava data can reveal sensitive information about user locations, routines, and social networks.

medium

credential-input

Strava API Credential Handling Not Documented

Server integrates with Strava API, which requires authentication tokens. No documentation on how credentials are handled, stored, or transmitted. Risk of credential exposure or improper token management.

low

info

Tools Not Fetched

Tool definitions are not available, preventing detailed analysis of input validation, prompt injection risks, or actual capability constraints. This limits security assessment depth.

low

info

Suspicious Domain Structure

Domain 'strava.run.mcp.com.ai' uses a .ai TLD and includes 'mcp.com.ai' which appears to be a subdomain structure. While not necessarily malicious, this is an unusual domain pattern that warrants verification.

info

vague-description

Semantic Analysis Summary

This Strava integration server presents moderate-to-high risk due to remote HTTP exposure without documented authentication, vague capability descriptions, and broad access to personal fitness data. The lack of tool definitions prevents deeper analysis. While the repository exists (positive signal), the remote endpoint architecture and credential handling concerns require clarification before deployment.

Last scanned 1h ago

Details

Version: 3.0.0+0.7.1
Transport: streamable-http
Capabilities
Repository: la-rebelion/hapimcp
Website: run.mcp.com.ai