io.github.andrasfe/vulnicheck

io.github.andrasfe/vulnicheck·v0.1.0·Security

HTTP MCP Server for comprehensive Python vulnerability scanning and security analysis.

Trust verdict · v1 advisory · method

NOT YET SCREENEDno verdict on file

Verdict not yet evaluated for this tool. The semantic screen takes adversarial cases first; coverage rolls out as the corpus expands (15/150 labels to graduation). The deterministic conformance probe is built but has not yet run on the public corpus, so a recorded verdict here is REVIEW or UNVERIFIED, never a clearing ALLOW. Until a verdict is recorded, an agent should treat this tool as not-yet-cleared and fall back to its own checks. Method: the eval, four-state verdict, honest limits.

Own this server? Screen its description →

Environment variables

NVD_API_KEY

secret

API key for NIST National Vulnerability Database (increases rate limit from 5 to 50 requests per 30 seconds)

GITHUB_TOKEN

secret

GitHub token for Advisory Database access (increases rate limit to 5000 requests per hour)

OPENAI_API_KEY

secret

OpenAI API key for LLM-based risk assessment in MCP passthrough operations

ANTHROPIC_API_KEY

secret

Anthropic API key for LLM-based risk assessment (alternative to OpenAI)

MCP_PORT

Port for MCP HTTP server (default: 3000)

CACHE_TTL

Cache time-to-live in seconds for vulnerability data (default: 900)

VULNICHECK_HTTP_ONLY

Enable HTTP-only mode with MCP client delegation (true/false, default: auto-detect)

MCP quality score · maturity, not trust · methodology

freshness

completeness

installability

documentation

stability

Alternatives in Security

ai.dynamicfeed/dynamic-feed

87 keyless tools of live, verifiable data for AI: weather, hazards, space, CVEs. Ed25519-signed.

Helixar Security

ai.helixar/mcp

Security tools for AI agents: scan MCP servers, validate HDP delegation chains, audit releases.

RFP.ai

ai.rfp/rfp-ai

Draft cited RFP and security questionnaire answers from your knowledge base, with human review

Install

Claude Desktop (Docker)

{
  "mcpServers": {
    "vulnicheck": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "docker.io/andrasfe/vulnicheck:main"
      ],
      "env": {
        "NVD_API_KEY": "<your-nvd_api_key>",
        "GITHUB_TOKEN": "<your-github_token>",
        "OPENAI_API_KEY": "<your-openai_api_key>",
        "ANTHROPIC_API_KEY": "<your-anthropic_api_key>",
        "MCP_PORT": "<mcp_port>",
        "CACHE_TTL": "<cache_ttl>",
        "VULNICHECK_HTTP_ONLY": "<vulnicheck_http_only>"
      }
    }
  }
}

Verdict API

curl -s mcpindex.ai/api/v1/trust/server/io-github-andrasfe-vulnicheck

Free-tier verdict as JSON: decision + dimensions + severity. Call it from your agent before it invokes a tool it just discovered.

Details

version: v0.1.0
category: Security
quality: 62 / 100
operator: andrasfe

Provenance

Verdict history is anchored to Bitcoin via OpenTimestamps. The free tier returns the current verdict only; the anchored record is served on the authenticated tier.

Links

Repository →