GhostFree

io.github.shane-js/ghostfree·v0.2.0·Security

MCP server that scans your repo's dependencies for security vulnerabilities based on published CVEs.

Trust verdict · v1 advisory · method

REVIEWstatus: PARTIALfresh until 2026-07-01 10:33 UTC

screened 2026-06-01tier: scannedgranularity: description-levelsource: registry

Semantic screen found no manipulation pattern in the description. Conformance probe not yet run.

mcpindex.integrity.descriptionpassINFO

evidence“Scans dependencies”via static_description

Limits of this verdict

- Semantic screen only - the deterministic conformance probe has not run on this server
- Confidence is reported but not yet calibrated (v1)
- Screen reads the tool description, not the live behavior
- advisory
- registry description only no input schema

Semantic screen: an LLM judge reads the tool description for hidden instructions (status PARTIAL). A pass means the description is not lying, not that the tool is safe: a high-capability tool with an honest description still warrants caution. The deterministic conformance probe has not been run on this server yet, so the screen here is semantic-only. Posture: advisory. Confidences are reported but not yet calibrated (calibrated=false at v1). History is paid-tier and not shown here.

Own this server? Screen its description →

Embed this badge

A live verdict badge for your README or listing. It reflects the current screen, links back here, and updates when the verdict does.

Markdown

[![mcpindex](https://mcpindex.ai/api/v1/badge/io-github-shane-js-ghostfree)](https://mcpindex.ai/server/io-github-shane-js-ghostfree)

HTML

<a href="https://mcpindex.ai/server/io-github-shane-js-ghostfree"><img src="https://mcpindex.ai/api/v1/badge/io-github-shane-js-ghostfree" alt="mcpindex verdict" height="20" /></a>

Environment variables

GHOSTFREE_DIR

Override the directory where GhostFree stores its data files (accepted-risks.yml, config.yml). Defaults to .ghostfree/ in the scanned repository root.

GHOSTFREE_MIN_SEVERITY

Minimum CVE severity level to surface. One of: CRITICAL, HIGH, MEDIUM (default), LOW.

NVD_API_KEY

secret

Optional NVD API key for higher rate limits when enriching CVE details. Free to request at https://nvd.nist.gov/developers/request-an-api-key.

MCP quality score · maturity, not trust · methodology

freshness

completeness

installability

documentation

stability

Alternatives in Security

ai.dynamicfeed/dynamic-feed

87 keyless tools of live, verifiable data for AI: weather, hazards, space, CVEs. Ed25519-signed.

Helixar Security

ai.helixar/mcp

Security tools for AI agents: scan MCP servers, validate HDP delegation chains, audit releases.

RFP.ai

ai.rfp/rfp-ai

Draft cited RFP and security questionnaire answers from your knowledge base, with human review

Install

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "ghostfree": {
      "command": "npx",
      "args": [
        "-y",
        "ghostfree"
      ],
      "env": {
        "GHOSTFREE_DIR": "<ghostfree_dir>",
        "GHOSTFREE_MIN_SEVERITY": "MEDIUM",
        "NVD_API_KEY": "<your-nvd_api_key>"
      }
    }
  }
}

Cursor (.cursor/mcp.json)

{
  "mcpServers": {
    "ghostfree": {
      "command": "npx",
      "args": [
        "-y",
        "ghostfree"
      ],
      "env": {
        "GHOSTFREE_DIR": "<ghostfree_dir>",
        "GHOSTFREE_MIN_SEVERITY": "MEDIUM",
        "NVD_API_KEY": "<your-nvd_api_key>"
      }
    }
  }
}

Cline (cline_mcp_settings.json)

npx -y ghostfree

Verdict API

curl -s mcpindex.ai/api/v1/trust/server/io-github-shane-js-ghostfree

Free-tier verdict as JSON: decision + dimensions + severity. Call it from your agent before it invokes a tool it just discovered.

Details

version: v0.2.0
category: Security
verdict expires: 2026-07-01
quality: 92 / 100
operator: shane-js

Provenance

Verdict history is anchored to Bitcoin via OpenTimestamps. The free tier returns the current verdict only; the anchored record is served on the authenticated tier.

Links

Repository →Website →