Security and Feature Parity with Docker `-e` Flag
Description
When adding an MCP server via claude mcp add -t stdio -e, the current CLI requires an explicit KEY=VAL assignment. Docker’s -e flag allows both -e KEY=VAL and -e KEY (where KEY is read from the host environment). For consistency and security, Claude Code’s MCP integration should support the latter form.
Current Behavior
- Invoking:
``bash``
claude mcp add -t stdio -e MY_SECRET=foo toolname toolcli ...
works as expected.
- Invoking:
``bash``
claude mcp add -t stdio -e MY_SECRET toolname toolcli ...
fails with an error, refusing to read MY_SECRET from the environment.
Expected Behavior
Support both forms of the -e flag:
- Explicit assignment:
-e KEY=VAL - Implicit lookup:
-e KEY
- If
KEYexists in the user’s environment, its value is injected. - If
KEYis unset is it unclear withclaude mcp add --helpif the CLI will provide secret from environment
Proposed Implementation
- In the flag parser for
-e:
- Detect absence of
=. - Attempt to
getenv(KEY). - On success, proceed as if
KEY=VALUEwas supplied. - On failure, return a user-friendly error.
Additionally there should be way to devine this in .mcp.json how to annotate variables for which claude should provide value from enviornment , possible ways:
- "KEY":"" - empty string as
- "KEY":"${KEY}" - use bash dollar with curly brackets to define environment variable to fetch from...
- Update documentation (including
claude mcp add --hhelp) to reflect both usages.
Reproduction
- Ensure
MY_SECRETis not defined:
``bash``
unset MY_SECRET
- Run:
``bash``
claude mcp add -t stdio -e MY_VAR mcp-stdio-env-var-server mcp-stdio-env-var-server
- Observe the error.
- Define
MY_SECRET:
``bash``
export MY_VAR="magicvar"
- Run again:
``bash``
claude mcp -p 'use mcp-stdio-env-var-server server to display MY_VAR environment variable and tell me what is this variable value now? "
- Verify that
MY_VARis available inside the container.
Additional Context
This change will align Claude Code’s CLI with established Docker conventions, improving security (by avoiding commits of secrets in CI/CD scripts) and overall UX consistency.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗