Tripwire
An MCP server that gives an AI coding agent real control of Roblox Studio and Roblox Open Cloud, with a test-and-security layer no other Studio MCP has.
README
<div align="center">
Tripwire
made by alibolly
An MCP server that gives an AI coding agent real control of Roblox Studio and Roblox Open Cloud, with a test-and-security layer no other Studio MCP has.
</div>
Tripwire lets an assistant read, write, and edit the data model, drive playtests with simulated input, run tests-as-code headlessly in the real engine, flag client-trust exploits in game code, and call the Open Cloud APIs (DataStores, MessagingService, Memory Stores, and more). The Studio tools need no API key; the headless test, asset, and Open Cloud tools use an Open Cloud key.
Install
Tripwire's server is a single binary. The easiest way to run it is with npx, which fetches the
prebuilt binary for your platform, so there is no Rust toolchain to install. Prefer a manual binary
or a source build? See the Alternatives at the end of this section.
<details> <summary><b>Claude Code</b></summary>
One command:
claude mcp add --transport stdio tripwire -- npx -y tripwire-roblox
Or add it to a project .mcp.json (or ~/.claude.json):
{
"mcpServers": {
"tripwire": {
"type": "stdio",
"command": "npx",
"args": ["-y", "tripwire-roblox"]
}
}
}
</details>
<details> <summary><b>Codex</b></summary>
Add to ~/.codex/config.toml:
[mcp_servers.tripwire]
command = "npx"
args = ["-y", "tripwire-roblox"]
Or: codex mcp add tripwire -- npx -y tripwire-roblox
</details>
<details> <summary><b>Gemini</b></summary>
Add to ~/.gemini/settings.json (or a project .gemini/settings.json):
{
"mcpServers": {
"tripwire": {
"command": "npx",
"args": ["-y", "tripwire-roblox"]
}
}
}
Or: gemini mcp add tripwire npx -y tripwire-roblox
</details>
<details> <summary><b>Other MCP clients</b></summary>
Any client that speaks MCP over stdio can run it:
command: npx
args: ["-y", "tripwire-roblox"]
</details>
<details> <summary><b>Alternatives: prebuilt binary, or build from source</b></summary>
Prebuilt binary (no Node). Download the archive for your platform from the
Releases page (for example
tripwire-server-vX.Y.Z-aarch64-apple-darwin.tar.gz), extract it, and point your client's
command at the extracted tripwire-server with empty args.
Build from source (needs Rust):
git clone https://github.com/aliboIly/Tripwire.git
cd Tripwire/server
cargo build --release # produces server/target/release/tripwire-server
Then point your client's command at that binary path.
</details>
<details> <summary><b>Studio plugin (required for the Studio tools)</b></summary>
The Studio tools reach Studio through a small plugin that long-polls the local server. Grab
Tripwire.rbxmx from the Releases page, or build it:
cd Tripwire/plugin
npm install
npx rbxtsc
rojo build --output Tripwire.rbxmx
cp Tripwire.rbxmx ~/Documents/Roblox/Plugins/ # macOS; Windows: %LOCALAPPDATA%\Roblox\Plugins
Restart Studio, click the Tripwire toolbar button, and enable Game Settings > Security >
Allow HTTP Requests. The Output shows [Tripwire v...] connected.
</details>
<details> <summary><b>Open Cloud key (for headless tests, assets, and Open Cloud tools)</b></summary>
The Studio tools need no key. The Open Cloud tools do. See Open Cloud setup below for the full walkthrough.
</details>
Open Cloud setup
Most of Tripwire needs no credentials. These tools do, because they call Roblox Open Cloud:
run_luau, the headless tests (run_tests, run_test_file, list_tests), upload_asset,
publish_place, and the DataStore, Ordered DataStore, MessagingService, Memory Store, platform,
and engagement tools. They authenticate with a Roblox Open Cloud API key.
Use at your own risk. An Open Cloud key is a real credential with real power over your experience. Depending on the scopes you grant it, it can read and overwrite your live DataStores, publish new versions of your place, upload assets to your account, and message your servers. Treat it like a password: grant only the scopes you actually use, restrict it to your own IP, never commit it, and revoke it if it leaks. You are responsible for what you do with it. Tripwire is not affiliated with or endorsed by Roblox.
1. Create the key
- Go to create.roblox.com/dashboard/credentials and sign in.
- Click Create API Key and name it (for example
Tripwire). - Under Access Permissions, add only the API systems for the tools you want, and grant each the operation it needs, scoped to your experience:
- Luau Execution (write):
run_luauand the headless tests. - universe-places (write):
publish_place. - Assets (read + write):
upload_asset. - DataStores and Ordered DataStores: the data-store tools.
- Messaging Service (publish) and Memory Stores: those tools.
- User/Group/Inventory/Subscription/Notification: the platform and engagement tools.
- Luau Execution (write):
- Under Security, set Accepted IP Addresses to your machine's IP, or
0.0.0.0/0to allow any (simplest for local use). Set an expiration if you want. - Click Save & Generate Key and copy the key string. It is shown only once.
2. Find your universe and place IDs
In the Studio command bar (View, then Command Bar), run:
print("universe", game.GameId, "place", game.PlaceId)
GameId is your ROBLOX_UNIVERSE_ID; PlaceId is your ROBLOX_PLACE_ID. The place must be
published to Roblox for Open Cloud to act on it.
3. Give Tripwire the credentials
Create a .env at the repo root. It is gitignored and the server loads it automatically:
ROBLOX_OPEN_CLOUD_KEY=paste_the_key_here
ROBLOX_UNIVERSE_ID=000000
ROBLOX_PLACE_ID=000000
ROBLOX_CREATOR_USER_ID=000000 # only for upload_asset (your user id)
Or put the same variables in your MCP client's env block instead (those take precedence).
Reconnect the MCP server after changing either. Each tool works when the key grants its scope and
returns Roblox's own error if a scope is missing, so you can add scopes as you go.
Tools
Connection
<details><summary><code>studio_status</code></summary>Whether a Studio is connected, the active place, and any other connected studios.</details> <details><summary><code>ping_studio</code></summary>Round-trip a ping through the plugin to confirm the live bridge works.</details> <details><summary><code>list_studios</code></summary>List every connected (or recently seen) Studio: place, whether it is active, last-seen, and playtest state.</details> <details><summary><code>set_active_studio</code></summary>Choose which connected Studio the tools target (by id, id prefix, or place name). Automatic with one Studio.</details>
Read and inspect
<details><summary><code>get_file_tree</code></summary>List the instance tree from a path (default the whole game), bounded by depth.</details> <details><summary><code>get_instance_children</code></summary>List the direct children (name and class) of an instance.</details> <details><summary><code>get_instance_properties</code></summary>Read an instance's name, class, full path, and attributes.</details> <details><summary><code>search_objects</code></summary>Find instances whose name contains a query, optionally filtered by class.</details> <details><summary><code>search_by_property</code></summary>Find instances whose property equals a value, optionally filtered by class.</details> <details><summary><code>get_script_source</code></summary>Read the source of a Script, LocalScript, or ModuleScript.</details> <details><summary><code>grep_scripts</code></summary>Search script sources for a substring; returns path, line number, and line.</details> <details><summary><code>get_output_log</code></summary>Recent Studio Output entries (message, type, timestamp).</details> <details><summary><code>get_selection</code></summary>The instances currently selected in Studio.</details>
Edit (each is one undo step)
<details><summary><code>create_instance</code></summary>Create an instance of a class with an optional name and initial properties.</details> <details><summary><code>delete_instance</code></summary>Destroy an instance and its descendants.</details> <details><summary><code>set_property</code></summary>Set one typed property (primitive, Vector3, Color3, UDim2, CFrame, EnumItem, or an instance reference).</details> <details><summary><code>update_script_source</code></summary>Replace a script's source through the script editor (the supported write path).</details> <details><summary><code>insert_model</code></summary>Insert an asset by id, with optional reposition or unpack.</details> <details><summary><code>mass_create</code></summary>Create many instances in one undo step (atomic, or best-effort with per-item results).</details> <details><summary><code>mass_set_property</code></summary>Set one property on many instances in one undo step (atomic or best-effort).</details>
Playtest and input
<details><summary><code>start_playtest</code></summary>Start an F5 playtest (server and client DataModels with a player); injects the in-play runner.</details> <details><summary><code>stop_playtest</code></summary>Stop the F5 playtest (best-effort; F5 teardown can outlast the confirmation).</details> <details><summary><code>start_simulation</code></summary>Start an F8 run (server-only simulation, no client or player).</details> <details><summary><code>stop_simulation</code></summary>Stop the F8 run (clean).</details> <details><summary><code>simulate_mouse_input</code></summary>Click or move the mouse at screen coordinates during an F5 playtest.</details> <details><summary><code>simulate_keyboard_input</code></summary>Press a key (tap/press/release) or type text during an F5 playtest.</details> <details><summary><code>character_navigation</code></summary>Walk the local character toward a world position; reports whether it reached the goal.</details> <details><summary><code>get_playtest_output</code></summary>The running playtest's output log, aggregated across the server and client peers.</details>
Tests and headless execution (Open Cloud)
<details><summary><code>run_luau</code></summary>Run a Luau script headlessly in the published place; returns the results and logs.</details> <details><summary><code>run_tests</code></summary>Run the headless test suite in the published place and report passed/failed with messages.</details> <details><summary><code>run_test_file</code></summary>Run a single spec by name, headlessly.</details> <details><summary><code>list_tests</code></summary>List the spec files and their cases discovered in the published place.</details> <details><summary><code>write_test</code></summary>Write a roblox-ts test spec to disk; rebuild and publish, then run_tests picks it up.</details>
Security review (static analysis, no key)
<details><summary><code>review_security</code></summary>Review the game source for client-trust and unvalidated-remote issues, each with a suggested server-side fix.</details> <details><summary><code>scan_remotes</code></summary>List server remote handlers and the client-controlled parameters of each.</details> <details><summary><code>scan_client_trust</code></summary>Flag server handlers that use client-supplied values without validating them.</details>
Assets and publishing (Open Cloud)
<details><summary><code>upload_asset</code></summary>Upload a local file as a Roblox asset (Decal, Audio, Model, Animation, or Video); returns the assetId.</details> <details><summary><code>publish_place</code></summary>Publish a local place file (.rbxl/.rbxlx) as a new version of the experience.</details>
DataStores (Open Cloud)
<details><summary><code>list_datastores</code></summary>List the standard data stores in the universe.</details> <details><summary><code>list_datastore_entries</code></summary>List entry keys in a data store.</details> <details><summary><code>get_datastore_entry</code></summary>Read an entry's value and metadata.</details> <details><summary><code>set_datastore_entry</code></summary>Create or overwrite an entry (value plus optional users/attributes).</details> <details><summary><code>delete_datastore_entry</code></summary>Soft-delete an entry (purged after 30 days).</details> <details><summary><code>increment_datastore_entry</code></summary>Atomically add an integer to a numeric entry.</details> <details><summary><code>list_ordered_entries</code></summary>List ordered data store entries by value, ascending or descending.</details> <details><summary><code>get_ordered_entry</code></summary>Read one ordered data store entry.</details> <details><summary><code>set_ordered_entry</code></summary>Set (upsert) an ordered data store entry to a non-negative integer.</details> <details><summary><code>increment_ordered_entry</code></summary>Atomically add to an ordered data store entry.</details>
Messaging and memory (Open Cloud)
<details><summary><code>publish_message</code></summary>Publish a message to a MessagingService topic (reaches running production servers).</details> <details><summary><code>memory_sorted_map_set</code></summary>Set (upsert) a Memory Store sorted-map item, with TTL and sort keys.</details> <details><summary><code>memory_sorted_map_get</code></summary>Read a Memory Store sorted-map item.</details> <details><summary><code>memory_sorted_map_list</code></summary>List sorted-map items in sort order.</details> <details><summary><code>memory_sorted_map_delete</code></summary>Delete a sorted-map item.</details> <details><summary><code>memory_queue_add</code></summary>Add an item to a Memory Store queue, with priority and TTL.</details> <details><summary><code>memory_queue_read</code></summary>Read items from a queue; returns a readId for the discard call.</details> <details><summary><code>memory_queue_discard</code></summary>Permanently remove a read batch by its readId.</details>
Platform and engagement (Open Cloud)
<details><summary><code>get_universe</code></summary>The configured universe's metadata.</details> <details><summary><code>get_place</code></summary>The configured place's metadata.</details> <details><summary><code>get_user</code></summary>A user's public profile.</details> <details><summary><code>get_group</code></summary>A group's metadata.</details> <details><summary><code>list_inventory</code></summary>A user's inventory items, filterable by type or id.</details> <details><summary><code>send_notification</code></summary>Send an experience notification to a user (from a Creator Dashboard template).</details> <details><summary><code>get_subscription</code></summary>Read a user's subscription to a subscription product.</details>
What you can do
- Build scenes from a prompt. Create and mass-create instances, set typed properties, insert models, and write scripts, each as a clean undo step.
- Test gameplay in CI. Write specs, run them headlessly in the real engine through Open Cloud, and gate pull requests on the results.
- Catch exploits before they ship. The security reviewer flags server handlers that trust client input and suggests the server-side fix; the same check runs automatically on every PR.
- Drive a real playtest. Enter Play mode, send keyboard and mouse input, walk the character to a spot, read the combined server/client output, then stop.
- Inspect a live place. Read the instance tree, search by name or property, read and grep scripts, and pull the Output log.
- Automate Open Cloud. Seed DataStores for test fixtures, publish a place, broadcast a MessagingService topic, or look up users, groups, and inventory.
Prior art
The Studio runtime approach (a plugin that long-polls a local server, an injected in-play runner) follows ideas from boshyxd/robloxstudio-mcp and Chrrxs/robloxstudio-mcp. Tripwire is an independent, from-scratch implementation; the headless test harness, the CI security reviewer, and the Open Cloud tooling are its own.
License
MIT. See LICENSE.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.