How do I install Ghostfree?

Ghostfree is a local plugin. Install it using npm package: ghostfree and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Ghostfree need?

Ghostfree requires the following credentials or environment variables: GHOSTFREE_DIR, GHOSTFREE_MIN_SEVERITY, NVD_API_KEY. You can find setup instructions on the server detail page.

What AI apps work with Ghostfree?

Ghostfree uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Ghostfree

by Shane Js

Developer ToolsModerate5.5MCP RegistryLocal

Free

Server data from the Official MCP Registry

MCP server that scans your repo's dependencies for security vulnerabilities based on published CVEs.

About

MCP server that scans your repo's dependencies for security vulnerabilities based on published CVEs.

What You'll Need

Set these up before or after installing:

Override the directory where GhostFree stores its data files (accepted-risks.yml, config.yml). Defaults to .ghostfree/ in the scanned repository root.Optional

Environment variable: GHOSTFREE_DIR

Minimum CVE severity level to surface. One of: CRITICAL, HIGH, MEDIUM (default), LOW.Optional

Environment variable: GHOSTFREE_MIN_SEVERITY

Optional NVD API key for higher rate limits when enriching CVE details. Free to request at https://nvd.nist.gov/developers/request-an-api-key.Required

Environment variable: NVD_API_KEY

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-shane-js-ghostfree": {
      "env": {
        "NVD_API_KEY": "your-nvd-api-key-here",
        "GHOSTFREE_DIR": "your-ghostfree-dir-here",
        "GHOSTFREE_MIN_SEVERITY": "your-ghostfree-min-severity-here"
      },
      "args": [
        "-y",
        "ghostfree"
      ],
      "command": "npx"
    }
  }
}

Security Report

5.5

Moderate5.5Moderate Risk

This is a well-designed security vulnerability scanner with appropriate permissions for its purpose. The server properly communicates with OSV.dev, NVD, and CISA APIs to scan dependencies for CVEs. No significant security issues found - auth requirements are appropriate, code quality is good, and permissions align with functionality. Supply chain analysis found 23 known vulnerabilities in dependencies (1 critical, 10 high severity). Package verification found 1 issue.

Scanned 5 files · 27 findings

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

File System Write

Writes or modifies files on your machine. Check that this is expected for the tool.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

Reviews

No reviews yet

Be the first to review this server!