JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1
  • Score
    100M100P100Q90895F
  • License Apache-2.0

Model Context Protocol server that lets AI coding assistants (Claude Code, Cursor, Windsurf) check npm packages against the Sandcheck dataset before suggesting installs.

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@sandcheck/mcp) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    @sandcheck/mcp

    Model Context Protocol server for Sandcheck. Lets AI coding assistants check npm packages against a curated list of known-compromised versions before they suggest installing them.

    The server is stdio-based and works with any MCP-aware coding assistant, including Claude Code, Cursor, and Windsurf.

    What it exposes

    Tool Purpose
    check_package Look up a single name@version.
    check_packages Look up many name@version pairs in one call (use this before a bulk install).
    check_lockfile Detect and scan package-lock.json, pnpm-lock.yaml, or yarn.lock in a project directory.
    get_recent_compromises Return recent dataset entries, newest first. Use it to brief the model on fresh incidents at the start of a session.

    Install

    pnpm add -g @sandcheck/mcp
# or run on demand:
npx -y @sandcheck/mcp

    The published binary is sandcheck-mcp.

    Claude Code

    Add this to your ~/.config/claude-code/mcp.json (or run claude mcp add sandcheck):

    {
  "mcpServers": {
    "sandcheck": {
      "command": "npx",
      "args": ["-y", "@sandcheck/mcp"]
    }
  }
}

    Then try: "Check whether chalk@5.6.1 is safe to install."

    Cursor

    In Cursor settings → MCP, add a new server:

    • Name: sandcheck
    • Command: npx
    • Args: -y @sandcheck/mcp

    Cursor will list the four Sandcheck tools under the server.

    Windsurf

    In ~/.codeium/windsurf/mcp_config.json:

    {
  "mcpServers": {
    "sandcheck": {
      "command": "npx",
      "args": ["-y", "@sandcheck/mcp"]
    }
  }
}

    How the dataset is fetched

    The server fetches the canonical Sandcheck dataset from the raw GitHub URL on startup and refreshes once per hour. There is no telemetry, no analytics, and no phone-home. You can pin a specific dataset by setting the SANDCHECK_DATASET_URL environment variable to a different URL or to a file:// path.

    Security posture

    • No install-time lifecycle scripts.
    • ESM only, strict TypeScript, no any.
    • The server runs entirely over stdio — no inbound network listener.
    • Releases are published with npm provenance via GitHub Actions OIDC.

    License

    Apache-2.0.