Package Exports

@vettiq/mcp-server
@vettiq/mcp-server/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@vettiq/mcp-server) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@vettiq/mcp-server

VettIQ MCP Server brings AI code security scanning directly into your coding environment. 12 tools let you scan code through VettIQ's 6-stage multi-LLM pipeline, vet ClawHub skills before installing, check MCP server trust scores, drive the automated fix pipeline, search live threat intelligence, and monitor your security posture — all without leaving Claude Code, Cursor, or Windsurf.

Prerequisites

Node.js 18+
VettIQ API key (get free at app.vettiq.ai → Settings → API Keys)
Free plan works — 1 scan/month included

Quick Start — Claude Code

npm install -g @vettiq/mcp-server

Add to ~/.claude/mcp.json:

{
  "mcpServers": {
    "vettiq": {
      "command": "vettiq-mcp",
      "env": {
        "VETTIQ_API_KEY": "your_api_key_here"
      }
    }
  }
}

Restart Claude Code. Test: "Scan this file with VettIQ" then paste any code.

Quick Start — Cursor

Add to .cursor/mcp.json at your project root:

{
  "mcpServers": {
    "vettiq": {
      "command": "vettiq-mcp",
      "env": {
        "VETTIQ_API_KEY": "your_key_here"
      }
    }
  }
}

Quick Start — HTTP Transport

VETTIQ_API_KEY=your_key VETTIQ_MCP_TRANSPORT=http node dist/index.js

MCP endpoint: http://localhost:3100/sse Health check: http://localhost:3100/health

Quick Start — Docker

docker build -t vettiq-mcp .
docker run -e VETTIQ_API_KEY=your_key -p 3100:3100 vettiq-mcp

Available Tools (12)

Tool	What it does	When to use
`scan_code`	Submit code for 6-stage security scan	Before committing any AI-generated code
`get_scan_status`	Poll scan progress	After scan_code
`get_scan_results`	Get findings and verified fixes	When scan is complete
`check_mcp_server`	Look up MCP server trust score	Before installing any MCP server
`search_threat_intel`	Search live CVE/threat database	Researching a vulnerability
`get_security_score`	Get repo Security Health Score	Monitoring security posture
`list_open_findings`	List all unresolved findings	Security review / sprint planning
`scan_clawhub_skill`	Scan a ClawHub skill for malware and guidance injection	Before installing any ClawHub skill
`get_clawhub_skill_report`	Retrieve a completed ClawHub scan report	Reviewing a previous skill scan
`check_clawhub_blocklist`	Instant check against VettIQ's malicious-skill blocklist	Fast pre-install gate (<100ms)
`get_fix_job_status`	Poll an async fix generation job	After calling generate_fix
`get_fix_results`	Retrieve completed fix diffs and PR links	When fix job is complete

ClawHub Skill Security

Three tools cover the full lifecycle of vetting ClawHub MCP skills before they land in an agent:

scan_clawhub_skill — runs VettIQ's skill-adapted pipeline against a ClawHub slug. Detects AMOS/ClickFix malware delivery, guidance injection (persistent behavioral modification), N-run delay evasion, credential harvesting, and silent exfiltration. Returns a 0–100 risk score, severity rating, and preview findings. The authenticated version runs the full 6-stage pipeline; without an API key, runs Stage 0+1 only.
check_clawhub_blocklist — sub-100ms lookup against VettIQ's blocklist of confirmed malicious skills (e.g. the ClawHavoc campaign). Use as a fast gate before running a full scan.
get_clawhub_skill_report — retrieve a previously completed scan by slug/scan ID (badge status, risk score, last-scanned timestamp).

Fix Job Management

VettIQ's automated fix pipeline is asynchronous. After calling generate_fix in the web app or API, use these two tools to drive the job:

get_fix_job_status — poll the job status (pending → processing → completed/failed). Surfaces per-file progress, credit usage, and next-step guidance.
get_fix_results — once the job is complete, returns per-file diffs, confidence scores, explanations, and the PR link (when a GitHub PR was opened).

This replaces the earlier SSE-based flow with a simple polling pattern that works across any MCP client.

Environment Variables

Variable	Default	Description
`VETTIQ_API_KEY`	(required)	Your VettIQ API key
`VETTIQ_API_BASE_URL`	`https://api.vettiq.ai`	API base URL
`VETTIQ_MCP_TRANSPORT`	`stdio`	Transport: `stdio` or `http`
`VETTIQ_MCP_PORT`	`3100`	HTTP port (http transport only)
`VETTIQ_MCP_DEBUG`	`false`	Enable debug logging to stderr
`VETTIQ_REQUEST_TIMEOUT_MS`	`30000`	API request timeout (ms)
`VETTIQ_RETRY_ATTEMPTS`	`3`	Max retry attempts for 429/5xx

Example Prompts

"Scan this Supabase integration for security issues" [paste code]
"Check if github.com/owner/some-mcp-server is safe to install"
"Is the ClawHub skill productivity/task-manager on the blocklist?"
"Scan the ClawHub skill productivity/task-manager before I install it"
"What critical vulnerabilities is VettIQ tracking this week?"
"What's my security score for myorg/my-app?"
"List all open critical findings across my repositories"
"Scan my auth handler and apply the fixes"
"Poll fix job fix_abc123 until it's done and show me the diffs"

Troubleshooting

API key not working Generate a new key at app.vettiq.ai → Settings → API Keys. The free tier includes 1 scan/month.

Server not appearing in Claude Code Check that ~/.claude/mcp.json is valid JSON and the path to vettiq-mcp is correct. Restart Claude Code after any changes.

Scan taking too long The 6-stage pipeline (Semgrep → Gemini → GPT-5.4 mini → Gemini → Claude Sonnet 4.6 → Gemini verification) typically completes in 60–90 seconds. Use get_scan_status to check progress.

Rate limit errors Free plan: 1 scan/month. Pro ($49/mo): unlimited scans. Upgrade at app.vettiq.ai/pricing.

Development

npm install
npm run build
npm test
npm run typecheck

License

Proprietary — LumenIQ, Inc.