Server data from the Official MCP Registry
Check packages for CVEs, slopsquatting, and CISA KEV before your AI agent installs them.
Check packages for CVEs, slopsquatting, and CISA KEV before your AI agent installs them.
Well-structured MCP server for vulnerability database queries with proper authentication mechanisms and appropriate permission scoping. The code demonstrates good security practices with clear separation of concerns, proper error handling, and secure token management via environment variables. No critical vulnerabilities or malicious patterns detected. Supply chain analysis found 5 known vulnerabilities in dependencies (0 critical, 5 high severity). Package verification found 1 issue.
4 files analyzed · 11 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: VDB_API_URL
Environment variable: VDB_API_TOKEN
Add this to your MCP configuration file:
{
"mcpServers": {
"kr-ai-vdb-vdb": {
"env": {
"VDB_API_URL": "your-vdb-api-url-here",
"VDB_API_TOKEN": "your-vdb-api-token-here"
},
"args": [
"vdb-mcp"
],
"command": "uvx"
}
}
}From the project's GitHub README.
mcp-name: kr.ai.vdb/vdb
MCP (Model Context Protocol) server for VDB — the AI-aware vulnerability database. Lets Claude Desktop, Claude Code, Cursor, Cline, Continue, and any MCP client check packages while generating code: known CVEs, slopsquatting (LLM-hallucinated package names an attacker may have registered), CISA KEV status, MCP-server trust profiles, and more.
uvx vdb-mcp # or: pipx run vdb-mcp
Claude Desktop (claude_desktop_config.json) / Cursor (.cursor/mcp.json):
{
"mcpServers": {
"vdb": { "command": "uvx", "args": ["vdb-mcp"] }
}
}
No install at all — point any streamable-HTTP MCP client at the hosted endpoint:
{
"mcpServers": {
"vdb": { "url": "https://vdb.ai.kr/mcp" }
}
}
That's it — the server talks to the hosted instance at https://vdb.ai.kr
by default. Anonymous use gets a free per-IP trial; add an API key for
unmetered access (free at https://vdb.ai.kr/signup):
{
"mcpServers": {
"vdb": {
"command": "uvx",
"args": ["vdb-mcp"],
"env": { "VDB_API_TOKEN": "vdb_..." }
}
}
}
| Tool | What it does |
|---|---|
vdb_check_package | Check one package (purl + optional version) for vulnerabilities, slop risk, KEV |
vdb_check_packages | Bulk slopsquatting / risk check for a list of packages |
vdb_lookup | Fetch one advisory by ID (CVE-…, GHSA-…, VDB-SLOP-…) |
vdb_search | Free-text search over the vulnerability corpus |
vdb_check_mcp_server | Trust tier + permission scopes of a community MCP server |
vdb_list_slopsquatting | Current slopsquatting candidates per ecosystem |
| Variable | Default | Meaning |
|---|---|---|
VDB_API_URL | https://vdb.ai.kr | VDB instance to query (set for self-hosted) |
VDB_API_TOKEN | (empty) | vdb_… API key — unmetered, per-account quota |
MCP_MODE | stdio | stdio or sse (long-running HTTP server) |
MCP_PORT | 7700 | SSE port |
LLMs hallucinate package names; attackers register them (slopsquatting).
LLMs also happily recommend packages with known RCEs. VDB gives your agent a
guardrail: one tool call before npm install / pip install. See
https://vdb.ai.kr/connect for the one-line prompt variant that needs no MCP
at all.
Elastic License 2.0 — free to use, including inside commercial organizations and CI. The only restrictions: you may not offer this software to third parties as a hosted or managed service, or resell it as a product. Commercial licensing beyond that: dev@egdee.com. API usage is governed by the VDB service terms regardless of how you call it.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.