How do I install Depscope?

Depscope supports both local and remote installation. For local use, install it via npm (npx) and add the configuration to your AI app. For remote access, add the server URL to your MCP configuration.

What AI apps work with Depscope?

Depscope uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Depscope MCP Server

by Cuttalo

Developer ToolsLow Risk10.0MCP RegistryLocalRemote

Free

Server data from the Official MCP Registry

Package intelligence MCP for AI agents — 22 tools, 19 ecosystems, AGPL SDK, free.

About

Package intelligence MCP for AI agents — 22 tools, 19 ecosystems, AGPL SDK, free.

Remote endpoints: streamable-http: https://mcp.depscope.dev/mcp

Security Report

10.0

Low Risk10.0Low Risk

Valid MCP server (3 strong, 6 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.

5 files analyzed · 1 issue found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

How to Install & Connect

Available as Local & Remote

This plugin can run on your machine or connect to a hosted endpoint. during install.

Documentation

View on GitHub

From the project's GitHub README.

DepScope MCP Server

Package intelligence MCP server for AI agents. Stops AI coding agents (Claude, ChatGPT, Cursor, Windsurf, Copilot) from installing hallucinated, deprecated, or malicious packages across 19 ecosystems.

→ Backed by depscope.dev — 1.2M+ packages indexed, 19,000+ vulnerabilities tracked, real-time.

What's new in v0.9.0

The MCP server now sends a system-prompt directive to your AI client at handshake (server.instructions). Claude Code, Cursor, Windsurf and other MCP clients receive a proactive-invocation brief automatically — manual rule files (CLAUDE.md, .cursorrules, .windsurfrules) are now optional. Existing rules still work; they're just redundant.

What the model sees at every session start:

The 19-ecosystem coverage list
An "INVOKE PROACTIVELY" directive with explicit triggers (install, version bump, lockfile change, "module not found" errors, library comparison)
Three pillars: token-saving, energy-saving, security
Standard invocation flow: check_malicious → check_typosquat → check_package → install_command

For Claude Code there is also a companion plugin that bundles the MCP server with a skill carrying rich frontmatter triggers:

git clone https://github.com/cuttalo/depscope-claude-plugin ~/.claude/plugins/depscope

All npm versions <0.9.0 are now deprecated. Run npm update -g depscope-mcp if you installed globally.

Why this exists

LLMs frequently invent package names that look real but don't exist (fastapi-turbo, lodahs, tokio-stream-extras). When an agent tries to install one, it might hit an attacker's typosquat. DepScope verifies every package before install.

Quick start

Claude Desktop / Cursor / Windsurf (remote MCP)

Add to your MCP config:

{
  "mcpServers": {
    "depscope": {
      "url": "https://mcp.depscope.dev/mcp"
    }
  }
}

Local (stdio via npx)

{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["-y", "depscope-mcp"]
    }
  }
}

Tools (22)

Tool	Purpose
`check_package`	Full package check: deprecated/CVE/health/recommendation
`get_health_score`	0-100 score with breakdown (maintenance/popularity/security/maturity/community)
`get_vulnerabilities`	Open CVEs from OSV + KEV/EPSS
`package_exists`	Hallucination detector (404 = LLM invented it)
`find_alternatives`	Curated alternatives for deprecated/abandoned packages
`get_typosquat`	Suspicious name similarity check
`get_breaking_changes`	Migration plan between versions
`get_bugs`	Known bugs from GitHub issues
`compare_packages`	Side-by-side health/license/vuln comparison
`resolve_error`	Map error message → likely cause + fix
`search_errors`	Find similar error reports across ecosystems
`check_compat`	Stack compatibility check
`get_latest_version`	Latest stable + maturity signal
... and 9 more	full list in `tools.js`

Ecosystems (19)

npm · pypi · cargo · go · composer · maven · nuget · rubygems · pub · hex · swift · cocoapods · cpan · hackage · cran · conda · homebrew · jsr · julia

Pricing

Free. No auth required. Generous rate limits. The MCP server is open-source (AGPL-3.0); the backend (depscope.dev API) is proprietary.

License

AGPL-3.0-or-later. Backend is proprietary; this client is open.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Depscope MCP Server

About

Security Report

Findings (1)

Permissions Required

How to Install & Connect

Documentation

DepScope MCP Server

What's new in v0.9.0

Why this exists

Quick start

Claude Desktop / Cursor / Windsurf (remote MCP)

Local (stdio via npx)

Tools (22)

Ecosystems (19)

Pricing

License

Links

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent

mcp-creator-typescript