I built an MCP server that lets Claude Code actually run commands on my servers (not just suggest them)

I've been using Claude Code for infrastructure work for months. And every session followed the same pattern:

1. Ask Claude what command to run
2. Read Claude's answer
3. Open terminal
4. Copy-paste the command
5. Read output
6. Paste output back to Claude
7. Repeat

It felt like I'd hired a senior engineer who wasn't allowed to touch the keyboard. So I built Conduit — and gave Claude the keyboard.

What is Conduit?

Conduit is a cross-platform remote connection manager (SSH, RDP, VNC, web) with a built-in MCP server. Think Termius or Royal TS, but the whole thing is wired up as an MCP server so Claude Code can drive it directly.

Apache 2.0 open source: https://github.com/advenimus/conduit-desktop

The MCP integration

When you add Conduit as an MCP server in Claude Code:

claude mcp add conduit -- node "/Applications/Conduit.app/Contents/Resources/mcp/dist/index.js" \
  --env CONDUIT_SOCKET_PATH="$HOME/Library/Application Support/conduit/conduit.sock" \
  --env CONDUIT_ENV="production"

Claude gets access to 60+ tools across five categories.

Terminal (SSH)

• terminal_execute — run a command in an SSH session and get the output back
• terminal_read_pane — read the current terminal buffer
• terminal_send_keys — send raw keystrokes (including Ctrl+C, arrow keys, etc.)

Now instead of "run df -h on each server," Claude just does it. Across all of them.

RDP / VNC

• rdp_screenshot — capture a screenshot of a remote desktop
• rdp_click — click at coordinates
• rdp_type — type text
• rdp_send_key — send keyboard shortcuts (Win+R, Ctrl+Alt+Del, etc.)
• Same set for VNC sessions

This unlocks something surprisingly powerful: Claude can look at a Windows server, read error dialogs, and click through them. Not just SSH into the host — actually drive the graphical interface.

Web sessions

• website_click_element — click by CSS selector (more reliable than coordinates)
• website_fill_input — fill inputs with React/Vue/Angular event dispatch
• website_execute_js — run JavaScript in the page
• website_get_elements — discover all interactive elements on a page

Web sessions are driven by Electron's WebContentsView — a full browser engine. Claude can navigate admin dashboards, fill forms, and execute JavaScript in sessions that are already logged in.

Credential vault

• credential_list — list stored credentials (metadata only)
• credential_read — retrieve a secret (requires explicit user approval prompt)

AES-256, local-first. Secrets never leave your machine. When the agent wants a credential, you get an approval prompt — you see exactly what's being requested and why.

How it actually works under the hood

Claude Code ──(MCP protocol)──> Conduit MCP binary (Node.js)
                                         │
                                  (Unix socket)
                                         │
                                 Conduit desktop app
                                         │
                    ┌────────────────────┼─────────────────────┐
                    │                   │                      │
               SSH session         RDP session           Web session
               (node-pty)       (FreeRDP C helper)  (Electron WebContentsView)

The MCP binary is a separate Node.js process that connects to the desktop app over a Unix domain socket. Every tool call goes through the main process where it's rate-limited, audited, quota-checked, and approval-prompted.

The MCP binary holds no session state — it's a thin proxy. If it crashes or restarts, it reconnects automatically.

Safety model

"AI agent with SSH access to all your servers" is a large trust surface. Here's how Conduit handles it:

Approval prompts are color-coded by risk:

• 🔵 Read operations (list connections, read terminal buffer)
• 🟡 Execute operations (run commands, navigate web)
• 🟠 Write operations (fill forms, click UI elements)
• 🔴 Credential operations (read secrets from vault)

Every prompt has a 120-second auto-deny timeout — walk away from your machine and nothing sensitive happens.

Audit log records every tool call: timestamp, tool name, arguments (secrets masked), result status.

Rate limiting: 30 calls/minute per connection by default, token bucket algorithm.

Bring-your-own-subscription: Claude Code authenticates directly with Anthropic. Conduit never proxies API calls or sees your API keys.

A real example

Here's a real workflow:

"Check disk usage on all prod servers, find the one with least headroom, and tell me what's in its largest directories"

Claude:

1. connection_list → gets my SSH connections
2. terminal_execute on each → runs df -h
3. Parses output, identifies the problem server
4. terminal_execute → runs du -sh /* 2>/dev/null | sort -rh | head -20
5. Reports back with findings

What used to be 10 minutes of tabbing between terminals is a 30-second conversation.

Tech stack

For the curious:

• App: Electron 34 + React 18 + TypeScript
• SSH: ssh2 + node-pty + xterm.js
• RDP: FreeRDP 3.x (custom C helper binary with binary protocol to the main process)
• VNC: rfb2
• MCP: @modelcontextprotocol/sdk
• Vault: AES-256-GCM, local storage, optional Supabase cloud sync
• Auth: Supabase

The FreeRDP integration was the hardest part — building the C helper, the binary protocol, and getting screenshots flowing at acceptable latency took weeks. Happy to write a separate post on that if there's interest.

Try it

• GitHub (Apache 2.0): https://github.com/advenimus/conduit-desktop
• Download (macOS/Windows/Linux): https://conduitdesktop.com/download
• Free for personal use

Happy to answer questions in the comments — especially about the MCP tool design, the FreeRDP C helper, or the approval/safety system.