Package Exports
- @aiclude/security-mcp
Readme
@aiclude/security-mcp
AICLUDE Security Vulnerability Scanner — MCP Server for querying vulnerability scan results of MCP Servers and AI Agent Skills.
Quick Install
Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"aiclude-security": {
"command": "npx",
"args": ["-y", "@aiclude/security-mcp"]
}
}
}Cursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"aiclude-security": {
"command": "npx",
"args": ["-y", "@aiclude/security-mcp"]
}
}
}Usage
Once installed, ask your AI agent:
- "Check the security of @modelcontextprotocol/server-fetch"
- "Is my-awesome-skill safe to use?"
- "Show me the vulnerability report for mcp-server-github"
Tools
| Tool | Description |
|---|---|
security_scan |
Search scan results by package name. Returns report if found, or registers target for scanning. |
get_report |
Retrieve a specific scan report by ID |
list_reports |
List available scan reports with severity filtering |
How It Works
- Sends the package name to the AICLUDE scan API
- If a scan report exists, returns it immediately
- If not, registers the target for server-side scanning
- Results are viewable at https://vs.aiclude.com
Only the package name and type are sent. No source code or credentials are transmitted.
Server-Side Scan Engines
The AICLUDE server runs 7 engines on registered targets:
| Engine | What It Detects |
|---|---|
| SAST | Code vulnerabilities via pattern matching |
| SCA | Known CVEs in dependencies (OSV.dev) |
| Tool Analyzer | MCP tool poisoning, shadowing, rug-pull |
| DAST | SQL/Command/XSS injection via fuzzing |
| Permission Checker | Excessive filesystem/network/process access |
| Behavior Monitor | Suspicious runtime behavior patterns |
| Malware Detector | Backdoors, cryptominers, ransomware, data stealers |
Related
@aiclude/security-skill— Claude Code Skill- vs.aiclude.com — Web dashboard
License
Apache 2.0 — AICLUDE Inc.