Security and Feature Parity with Docker `-e` Flag

Resolved 💬 4 comments Opened May 19, 2025 by gwpl Closed Jan 7, 2026

Description

When adding an MCP server via claude mcp add -t stdio -e, the current CLI requires an explicit KEY=VAL assignment. Docker’s -e flag allows both -e KEY=VAL and -e KEY (where KEY is read from the host environment). For consistency and security, Claude Code’s MCP integration should support the latter form.

Current Behavior

  • Invoking:

``bash
claude mcp add -t stdio -e MY_SECRET=foo toolname toolcli ...
``

works as expected.

  • Invoking:

``bash
claude mcp add -t stdio -e MY_SECRET toolname toolcli ...
``

fails with an error, refusing to read MY_SECRET from the environment.

Expected Behavior

Support both forms of the -e flag:

  1. Explicit assignment: -e KEY=VAL
  2. Implicit lookup: -e KEY
  • If KEY exists in the user’s environment, its value is injected.
  • If KEY is unset is it unclear with claude mcp add --help if the CLI will provide secret from environment

Proposed Implementation

  • In the flag parser for -e:
  1. Detect absence of =.
  2. Attempt to getenv(KEY).
  3. On success, proceed as if KEY=VALUE was supplied.
  4. On failure, return a user-friendly error.

Additionally there should be way to devine this in .mcp.json how to annotate variables for which claude should provide value from enviornment , possible ways:

  • "KEY":"" - empty string as
  • "KEY":"${KEY}" - use bash dollar with curly brackets to define environment variable to fetch from...
  • Update documentation (including claude mcp add --hhelp ) to reflect both usages.

Reproduction

  1. Ensure MY_SECRET is not defined:

``bash
unset MY_SECRET
``

  1. Run:

``bash
claude mcp add -t stdio -e MY_VAR mcp-stdio-env-var-server mcp-stdio-env-var-server
``

  1. Observe the error.
  1. Define MY_SECRET:

``bash
export MY_VAR="magicvar"
``

  1. Run again:

``bash
claude mcp -p 'use mcp-stdio-env-var-server server to display MY_VAR environment variable and tell me what is this variable value now? "
``

  1. Verify that MY_VAR is available inside the container.

Additional Context

This change will align Claude Code’s CLI with established Docker conventions, improving security (by avoiding commits of secrets in CI/CD scripts) and overall UX consistency.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗