io.github.cyanheads/osv-advisory-mcp-server

io.github.cyanheads/osv-advisory-mcp-server·v0.1.1·Security

Query OSV.dev for package vulnerabilities and batch-audit dependency lists via MCP.

Trust verdict · v1 advisory · method

NOT YET SCREENEDno verdict on file

Verdict not yet evaluated for this tool. The hybrid eval runs adversarial cases first; coverage rolls out as the corpus expands (15 of 150 labels to graduation). Until a verdict is recorded, an agent should treat this tool as not-yet-cleared and fall back to its own checks. Method: hybrid eval, four-state verdict, honest limits.

Environment variables

OSV_REQUEST_TIMEOUT_MS

HTTP request timeout in milliseconds for OSV.dev API calls.

MCP_LOG_LEVEL

Sets the minimum log level for output (e.g., 'debug', 'info', 'warn').

OSV_REQUEST_TIMEOUT_MS

HTTP request timeout in milliseconds for OSV.dev API calls.

MCP_HTTP_HOST

The hostname for the HTTP server.

MCP_HTTP_PORT

The port to run the HTTP server on.

MCP_HTTP_ENDPOINT_PATH

The endpoint path for the MCP server.

MCP_AUTH_MODE

Authentication mode to use: 'none', 'jwt', or 'oauth'.

MCP_LOG_LEVEL

Sets the minimum log level for output (e.g., 'debug', 'info', 'warn').

MCP quality score · maturity, not trust · methodology

freshness

completeness

installability

documentation

stability

Alternatives in Security

Helixar Security

ai.helixar/mcp

Security tools for AI agents: scan MCP servers, validate HDP delegation chains, audit releases.

ai.smithery/Nekzus-npm-sentinel-mcp

Provide AI-powered real-time analysis and intelligence on NPM packages, including security, depend…

app.zenable/zenable

Zenable cleans up sloppy AI code and prevents vulnerabilities with deterministic guardrails

Install

Remote endpoint

Streamable HTTP / SSE endpoint. Add to any MCP client that supports remote servers.

https://osv-advisory.caseyjhand.com/mcp

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "@cyanheads/osv-advisory-mcp-server"
      ],
      "env": {
        "OSV_REQUEST_TIMEOUT_MS": "10000",
        "MCP_LOG_LEVEL": "info",
        "MCP_HTTP_HOST": "127.0.0.1",
        "MCP_HTTP_PORT": "3010",
        "MCP_HTTP_ENDPOINT_PATH": "/mcp",
        "MCP_AUTH_MODE": "none"
      }
    }
  }
}

Cursor (.cursor/mcp.json)

{
  "mcpServers": {
    "osv-advisory-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "@cyanheads/osv-advisory-mcp-server"
      ],
      "env": {
        "OSV_REQUEST_TIMEOUT_MS": "10000",
        "MCP_LOG_LEVEL": "info",
        "MCP_HTTP_HOST": "127.0.0.1",
        "MCP_HTTP_PORT": "3010",
        "MCP_HTTP_ENDPOINT_PATH": "/mcp",
        "MCP_AUTH_MODE": "none"
      }
    }
  }
}

Cline (cline_mcp_settings.json)

npx -y @cyanheads/osv-advisory-mcp-server

Verdict API

curl -s mcpindex.ai/api/v1/trust/server/io-github-cyanheads-osv-advisory-mcp-server

Free-tier verdict as JSON: decision + dimensions + severity. Call it from your agent before it invokes a tool it just discovered.

Details

version: v0.1.1
category: Security
quality: 80 / 100
operator: cyanheads

Provenance

Verdict history is anchored to Bitcoin via OpenTimestamps. The free tier returns the current verdict only; the anchored record is served on the authenticated tier.

Links

Repository →Remote endpoint →