Proxmox MCP 控制助手 是 AI Skill Hub 本期精选MCP工具之一。综合评分 8.2 分,整体质量较高。我们强烈推荐将其纳入你的 AI 工具库,帮助提升工作效率。
这是一个基于MCP协议的开源工具,允许AI代理直接管理Proxmox虚拟化环境,涵盖VE、备份服务器、邮件网关及数据中心管理。它将复杂的虚拟化运维转化为自然语言交互,非常适合需要通过AI自动化管理私有云的DevOps工程师和系统管理员。
Proxmox MCP 控制助手 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
这是一个基于MCP协议的开源工具,允许AI代理直接管理Proxmox虚拟化环境,涵盖VE、备份服务器、邮件网关及数据中心管理。它将复杂的虚拟化运维转化为自然语言交互,非常适合需要通过AI自动化管理私有云的DevOps工程师和系统管理员。
Proxmox MCP 控制助手 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
# 方式一:通过 Claude Code CLI 一键安装
claude skill install https://github.com/john-broadway/proximo
# 方式二:手动配置 claude_desktop_config.json
{
"mcpServers": {
"proxmox-mcp-----": {
"command": "npx",
"args": ["-y", "proximo"]
}
}
}
# 配置文件位置
# macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
# Windows: %APPDATA%/Claude/claude_desktop_config.json
# 安装后在 Claude 对话中直接使用 # 示例: 用户: 请帮我用 Proxmox MCP 控制助手 执行以下任务... Claude: [自动调用 Proxmox MCP 控制助手 MCP 工具处理请求] # 查看可用工具列表 # 在 Claude 中输入:"列出所有可用的 MCP 工具"
// claude_desktop_config.json 配置示例
{
"mcpServers": {
"proxmox_mcp_____": {
"command": "npx",
"args": ["-y", "proximo"],
"env": {
// "API_KEY": "your-api-key-here"
}
}
}
}
// 保存后重启 Claude Desktop 生效
<p align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/john-broadway/proximo/main/docs/brand/proximo-wordmark-dark.svg"> <img alt="Proximo" src="https://raw.githubusercontent.com/john-broadway/proximo/main/docs/brand/proximo-wordmark-light.svg" width="460"> </picture> </p>
Named for Proximo, the lanista of Gladiator — the story is the design. He armed his fighter with exactly what he needed, never more, and answered for every move in the arena: a lanista, not a jailer. The Spaniard doesn't get his name up front — he earns it, by conduct, on the record. Proximo's last act is opening the cages, holding the wooden sword of his own freedom. The Proxmox MCP you can hand the keys. The others make you choose: a read-only inspector that's safe because it can't touch anything — or a loaded gun aimed at a cluster you care about. Proximo refuses the trade. Every dangerous move is planned (see the blast radius first) and proven (a tamper-evident record of every move), and undoable wherever the platform can snapshot (it snapshots before it acts) — trust built into the substrate, not bolted on after. Hand an AI agent the keys; keep the receipts.
Sovereign, governed, agent-agnostic — your metal, your token, a ledger you own; no cloud, no phone-home, no daemon unless you opt into A2A; works with any MCP client. Governance-as-code: autonomy without accountability isn't autonomy, it's negligence.
Don't take our word for any of it — verify it yourself. Every claim here is paired with the command that proves it.
---
<p align="center"> <img src="https://raw.githubusercontent.com/john-broadway/proximo/main/docs/demo/demo.svg" alt="Proximo demo: doctor preflight, a destructive delete returning a PLAN with blast radius instead of acting, and the tamper-evident audit ledger verifying clean" width="860"> </p>
<p align="center"><sub>Recorded live against a real PVE 9.2 host with a <b>read-only token</b> — real output, nothing staged, nothing touched. Reproduce it yourself: <a href="./scripts/demo/demo.py"><code>scripts/demo/demo.py</code></a>.</sub></p>
🧭 New to Proximo? Start with SETUP.md — a beginner-proof, token-first walkthrough: create a least-privilege (read-only) token, verify what it can/can't do with proximo doctor, then grant scoped write only when you're ready. The token is the floor your keys never leave.
📦0.20.0— on PyPI, GitHub, and GHCR (signed multi-arch image). New in 0.20.0 — the receipts release. Every safety claim is now paired with a command that proves it. New VERIFY.md: forge a byte of the audit ledger and watchverify()refuse, grep the whole outbound surface to see there's no phone-home, verify the image's sigstore provenance — checks you run against the artifacts, not our word. Plus THREAT_MODEL.md, a CycloneDX SBOM on the wheel, an OpenSSF Scorecard badge, and a trust-core mutation smoke (4/4 tamper-detection mutants killed). No tool-count change (still 365) — this makes the existing guarantees checkable. The field is filling with "AI on Proxmox, but safe"; the answer is to raise the floor, not shrink anyone: whatever you run, make it prove itself. Recent: 0.19.1 — a self-audit release: a multi-agent pass over v0.19.0 found and fixed 23 real issues (headline: restore/prune from PBS work again), no tool-count change.
Proximo runs on your machine (wherever your MCP client lives), on demand — like every other Proxmox MCP.
The pip package isproximo-proxmox(PyPI's bareproximois reserved); the command and import stayproximo. With the[a2a]extra you also get theproximo-a2aserver.
Install: ``` uvx proximo-proxmox # zero-install run, on demand
Wire it into your MCP client (Claude Desktop/Code, Cursor, …) as the command `proximo` (or `python -m proximo`),
with the `PROXIMO_*` env vars — see `packaging/proximo.env.example`.
**From source:** git clone https://github.com/john-broadway/proximo.git && cd proximo uv pip install -e . # or: pip install -e . ```
Docker (GHCR): docker run -i --rm … ghcr.io/john-broadway/proximo:latest runs the stdio MCP server on demand — no daemon, no open port. Multi-arch (amd64 + arm64), shipped with an SBOM and a sigstore-signed build-provenance attestation (gh attestation verify oci://ghcr.io/john-broadway/proximo --owner john-broadway). The same image is mirrored to Docker Hub (docker pull docker.io/jebroadway/proximo, identical digest) for those who prefer it; GHCR stays the signed primary.
Safe by default: Proximo is API-only out of the box. The near-root edges are opt-in and say so plainly: the LXC exec edge (PROXIMO_ENABLE_EXEC=1) grants near-root on the host, and the VM qemu-guest-agent edge (PROXIMO_ENABLE_AGENT=1) grants near-root inside a guest. Big surface, scoped context: 365 tools is the whole estate — you don't have to load it.PROXIMO_SURFACES=pve,execregisters only those planes (e.g. that pair = 195 tools;pbs,exec= 38) — unpicked planes are removed from the registry before serving, so they never touch your context window.audit_verifyalways stays; a typo'd surface name refuses startup instead of silently serving the wrong set. The default path never touches the hypervisor host — management goes over the Proxmox API (scoped token). The two opt-in edges are the exceptions: exec uses your existing ssh to PVE to runpct execas root on the host; the qemu-agent edge runs in-guest ops via the API. Both are off by default, each scoped by its own fail-closed allowlist (PROXIMO_CT_ALLOWLIST/PROXIMO_AGENT_ALLOWLIST), and say so loudly. (A Debian package is optional — the MCP world installs viauvx/pip/Docker, notapt. Status:debian/now produces a working, installable.deb(dpkg-buildpackage -us -uc -b), lintian-clean with a man page and an autopkgtest smoke — but it is distributed nowhere; build-your-own fromdebian/. Seedebian/README.Debian.)
// your MCP client config (Claude Desktop / Claude Code / Cursor / …)
{
"mcpServers": {
"proximo": {
"command": "uvx",
"args": ["proximo-proxmox"],
"env": {
"PROXIMO_API_BASE_URL": "https://your-pve:8006/api2/json",
"PROXIMO_NODE": "your-node",
"PROXIMO_TOKEN_PATH": "/path/to/token-file" // USER@REALM!TOKENID=SECRET — by reference, never inlined
}
}
}
}
Or install with one click:
<sub>Both prompt for (or placeholder) the token file path — the secret itself never lands in client config. No token yet? uvx proximo-proxmox mint prints the least-privilege runbook.</sub>
Before wiring in an agent, check what your token can actually do (read-only preflight):
uvx proximo-proxmox doctor
Don't have a token yet? proximo mint prints the exact five-step runbook — create a least-privilege credential, write it in the format Proximo reads (the =/:/password trap, per product), grant a scoped role, wire it, verify. Print-only: it makes no API call and never touches the secret itself.
Start with a read-only token — Proximo is useful long before you grant it write. Full token-first walkthrough (create the least-privilege token, verify, widen deliberately): SETUP.md. More install paths (pip, Docker/GHCR, from source): Install & run.
aiskill88点评:将企业级虚拟化能力接入MCP生态,极大地降低了私有云运维门槛,实用性极强。
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ Apache 2.0 — 宽松开源协议,可商用,需保留版权声明和 NOTICE 文件,含专利授权条款。
经综合评估,Proxmox MCP 控制助手 在MCP工具赛道中表现稳健,质量优秀。如果你已有明确的使用需求,可以直接上手体验;如果还在评估阶段,建议对比同类工具后再做决策。
| 原始名称 | proximo |
| Topics | 虚拟化管理私有云自动化运维 |
| GitHub | https://github.com/john-broadway/proximo |
| License | Apache-2.0 |
| 语言 | Python |
收录时间:2026-07-12 · 更新时间:2026-07-12 · License:Apache-2.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。
选择 Agent 类型,复制安装指令后粘贴到对应客户端