Basecamp CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Basecamp integration, but it gives an AI assistant broad power to change Basecamp data and manage webhooks, so users should review and restrict it before use.
Install this only if you want an AI assistant to manage Basecamp. Use a dedicated OAuth app and the least-privileged account you can, protect the client secret, require confirmations for all write/delete/archive/trash/post/webhook actions, and audit webhooks and recent activity after use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled broadly, an assistant could create, edit, archive, trash, delete, move, or post Basecamp content in the connected account.
These tools can materially change or remove Basecamp business content and post to team communications through an AI-accessible MCP server; the artifacts do not describe explicit confirmation or scoping controls for those high-impact actions.
Provides 76 MCP tools for AI-driven project management workflows ... `basecamp_create_project`, `basecamp_archive_project` ... `basecamp_delete_todo` ... `basecamp_delete_comment` ... `basecamp_delete_schedule_entry` ... `basecamp_delete_card` ... `basecamp_trash_recording` ... `basecamp_send_campfire_line`
Use this only with an MCP client that requires approval for writes and destructive actions; consider limiting use to specific projects and reviewing every create/update/delete/archive/trash/post action.
A mistaken or malicious webhook action could cause ongoing Basecamp activity to be delivered to an unintended external endpoint.
Webhook creation allows Basecamp events to be sent to an external URL. This is a legitimate Basecamp feature, but the artifacts do not show allowlists, confirmation requirements, or other boundaries around where an AI-driven workflow may send future project events.
basecamp webhooks create --project <id> --payload-url "https://..."
Require explicit user approval for all webhook create/update/test actions, audit existing webhooks after use, and only allow trusted destination URLs.
Anyone or any agent workflow with access to this configured MCP server may be able to act as the authenticated Basecamp user.
The credential requirement is expected for Basecamp API access and is disclosed, but it means the MCP server operates with the connected user's Basecamp privileges.
Required env vars: BASECAMP_CLIENT_ID, BASECAMP_CLIENT_SECRET ... OAuth 2.0 authentication with PKCE
Protect the client secret, use the least-privileged Basecamp account available, rotate credentials if exposed, and disconnect/logout when no longer needed.
Private project information may be exposed to the assistant session, and text from Basecamp should not be treated as instructions to the agent.
These tools intentionally bring Basecamp documents, messages, chat lines, and search results into the assistant context; that content may be sensitive or may contain untrusted instructions written by other collaborators.
`basecamp_get_document`, `basecamp_list_messages`, `basecamp_get_campfire_lines`, `basecamp_search`
Only query projects and records you intend to share with the assistant, and configure the agent to treat retrieved Basecamp content as data rather than commands.
A compromised or mistaken package source would run as a local CLI/MCP server with access to configured Basecamp credentials.
The package installs global executables and normal dependencies for a CLI/MCP integration. This is purpose-aligned, but users should still verify they are installing the intended npm package and version.
"bin": { "basecamp": "dist/index.js", "basecamp-mcp": "dist/mcp.js" }, "dependencies": { "@modelcontextprotocol/sdk": "^1.25.3", "got": "^14.4.5", "open": "^10.1.0" }Install from the documented npm package, prefer pinned versions in managed environments, and verify the GitHub/npm publisher before deployment.
Developers running the validation script should avoid passing untrusted command-line values.
Shell execution exists in a manual validation script used to run CLI checks. It is not shown as an automatic install or MCP-server behavior.
const output = execSync(command, { encoding: 'utf-8', timeout: 60000, maxBuffer: 50 * 1024 * 1024 })Do not run development validation scripts with untrusted arguments; this does not appear to affect normal installed use.