Server data from the Official MCP Registry
CVE and supply chain checks for MCP clients. Covers infrastructure, PyPI, and npm packages.
CVE and supply chain checks for MCP clients. Covers infrastructure, PyPI, and npm packages.
This MCP server is well-designed with proper authentication, minimal attack surface, and appropriate input validation. The server requires an Attestd API key for sensitive operations, handles errors gracefully, and all network calls are scoped to the Attestd API. Minor code quality observations around error handling breadth do not materially impact security. Supply chain analysis found 2 known vulnerabilities in dependencies (0 critical, 2 high severity). Package verification found 1 issue.
7 files analyzed · 6 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: ATTESTD_API_KEY
Environment variable: ATTESTD_BASE_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-attestd-io-attestd-mcp": {
"env": {
"ATTESTD_API_KEY": "your-attestd-api-key-here",
"ATTESTD_BASE_URL": "your-attestd-base-url-here"
},
"args": [
"-y",
"@attestd/mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response.
Official Model Context Protocol (MCP) server for Attestd. Exposes CVE risk and supply-chain checks as tools for Claude Code, Claude Desktop, and any MCP-compatible client.
Get a free API key · Full docs
npx -y @attestd/mcp with no global install.check_package_vulnerability: wraps GET /v1/check using @attestd/sdk.check_batch_vulnerabilities: checks up to 100 packages in one call. Use for lockfile and manifest audits.list_covered_products: returns supported infrastructure product slugs (static list). No API key required.check_package_vulnerability and check_batch_vulnerabilities.Add to ~/.claude/mcp.json or project .mcp.json:
{
"mcpServers": {
"attestd": {
"command": "npx",
"args": ["-y", "@attestd/mcp"],
"env": {
"ATTESTD_API_KEY": "your-api-key-here"
}
}
}
}
Optional: override the API base URL (e.g. dev):
"env": {
"ATTESTD_API_KEY": "your-api-key-here",
"ATTESTD_BASE_URL": "https://dev.api.attestd.io"
}
check_package_vulnerability| Argument | Type | Description |
|---|---|---|
product | string | Product slug (nginx, postgresql, litellm, …) |
version | string | Exact version (1.20.0) |
Returns JSON with:
| Field | Meaning |
|---|---|
outsideCoverage | true if the product is not covered. Unknown risk, not safe. |
riskState | critical | high | elevated | low | none | null when outside coverage |
activelyExploited | CISA KEV signal |
remoteExploitable | true if any matching CVE is remotely exploitable |
authenticationRequired | true only when all matching CVEs require authentication |
patchAvailable / fixedVersion | Patch guidance |
confidence | Synthesis confidence 0.0–1.0 |
cveIds | CVE IDs contributing to the risk assessment |
typosquat | Present when the package name resembles a known product |
message | Explanation when outsideCoverage is true |
supplyChainCompromised / supplyChainDescription | PyPI/npm supply-chain signal |
On invalid/missing API key or rate limit, returns isError: true with a JSON error string.
check_batch_vulnerabilities| Argument | Type | Description |
|---|---|---|
items | array | Array of { product, version } objects. Maximum 100 per call. Each item costs one API call. |
Quota is checked upfront. If the batch would exceed your monthly quota, a 429 is returned before any calls are billed.
Returns JSON with count and results. Supported items include the same fields as check_package_vulnerability minus typosquat. Outside-coverage items return only product, version, outsideCoverage: true, and riskState: null.
list_covered_productsNo arguments. Returns JSON with count and products (slug + display for each covered infrastructure product).
npm run build
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | node dist/index.js
MIT. See LICENSE.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.