marketplace-mcp-server
An MCP server (with stdio and HTTP transports) that exposes tools for searching and retrieving package/repository metadata and assets from the Upbound Marketplace API, including support for both marketplace API v1 and v2 and UP CLI–based authentication for private resources.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Credentials are provided by mounting a local UP CLI config directory into a container (read-only mount shown). The README does not describe TLS requirements for the HTTP MCP transport, token handling, or principle-of-least-privilege scope granularity. No explicit guidance is provided on logging redaction of secrets or on rate-limit/abuse handling.
⚡ Reliability
Best When
You have an MCP-capable agent and want programmatic marketplace discovery/metadata retrieval (including private resources) using your existing UP CLI credentials.
Avoid When
You need a multi-tenant SaaS with centralized auth, guaranteed uptime, published rate-limit guarantees, or first-class public REST/OpenAPI contracts beyond MCP JSON-RPC.
Use Cases
- • Discover Upbound Marketplace packages by query and filters (provider/config/function)
- • Fetch package metadata such as CRDs, versions, and documentation pointers
- • Retrieve package assets (docs, readme, release notes, icons, SBOMs)
- • Browse repositories and apply advanced AIP-160 filters (v2)
- • Support Crossplane composition building by fetching examples/resources for specific group/kind/version/compositions
- • Automate marketplace analysis workflows in MCP-capable AI agents
Not For
- • Direct production access to the Upbound Marketplace from the open internet without a local agent boundary (it is primarily an MCP server for agent tooling)
- • Use by agents that cannot use MCP JSON-RPC over stdio or the provided HTTP transport
- • Teams needing a dedicated managed API service with explicit SLAs and usage-based pricing
Interface
Authentication
Auth is delegated to the UP CLI configuration mounted into the server container. A dedicated 'reload_auth' tool is provided to switch profiles.
Pricing
Open-source tooling; no pricing information in provided content.
Agent Metadata
Known Gotchas
- ⚠ HTTP interface is JSON-RPC 2.0 at /mcp and requires POST requests with appropriate params per tool.
- ⚠ The server relies on mounted UP CLI config; missing/incorrect mount will cause authentication failures.
- ⚠ Some tools reference v1 vs v2 marketplace behavior via use_v1; agents should choose the intended API version.
- ⚠ The example for get_package_version_resources appears to have a truncated version string in the README; use the version format shown elsewhere (e.g., v1.23.1) and validate arguments.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for marketplace-mcp-server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-04-04.