Integrates reconnaissance and exploitation workflows for security testing, including service detection, vulnerability validation, and exploit execution with safety controls
Provides reference documentation for OWASP Top 10 vulnerability categories to guide security assessment workflows
Supports browser automation for live security testing as an alternative option for projects that already include Puppeteer
Provides methodology and documentation for CVE and dependency scanning, guiding AI agents through vulnerability detection in project dependencies
Security Knowledge MCP Server
A knowledge-focused MCP (Model Context Protocol) server that guides AI agents through security assessments. Instead of executing tools directly, it provides methodology, documentation, and step-by-step workflows - letting your AI agent run the CLI commands with full context.
Installation
Direct from GitHub (Recommended)
This automatically clones, installs dependencies, builds, and runs the MCP server.
Global Installation
Philosophy
The MCP GUIDES, not executes.
Your AI agent (Claude Code, Cursor, etc.) already has the ability to run CLI commands. This MCP provides:
Step-by-step methodology for security assessments
Installation guides for required tools
Plain English explanations for non-technical users
Documentation proxy for always-current tool docs
Configuration
Claude Code
Add to your Claude Code MCP settings:
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor
Add to Cursor's MCP settings (Settings → Features → MCP):
Google Antigravity
Same configuration as Claude Desktop.
Testing with MCP Inspector
Test the server before configuring in your editor:
Expected: Web UI shows "Connected", lists all security:// resources and 5 workflow prompts.
Quick Start
Just say what you want in plain English:
"Help me set up security scanning" - Guides you through installing tools
"Scan my code for security issues" - Runs comprehensive scans
"Check my code before I push" - Quick pre-commit check
"Test my app on localhost" - Starts dev server and runs live tests
"Check this URL for vulnerabilities" - Tests a specific URL
Available Prompts
Prompt | What It Does |
| Checks what tools are installed, guides installation |
| Comprehensive scan: static analysis + runtime testing + artifacts |
| Quick critical-only check (fast, no runtime analysis) |
| Starts your dev server and runs live security tests |
| Tests a URL you provide (with authorization check) |
Required Tools
The MCP guides you through installing these (just say "help me set up"):
Tool | Purpose | Install (macOS) |
Trivy | CVE/dependency scanning |
|
Semgrep | Static code analysis |
|
Nuclei | Runtime testing (mandatory) |
|
Metasploit Integration
Metasploit Framework is integrated for both discovery (reconnaissance) and exploitation phases.
Setup
Install external Metasploit MCP server:
Set environment variable (add to
~/.bashrcor~/.zshrc):
Verify installation:
Usage
Discovery Phase (Automatic):
Runs safe auxiliary modules for service detection
Port scanning and version detection
Correlates findings with CVE database
No exploitation attempts
Exploitation Phase (Requires Approval):
Executes exploits against validated vulnerabilities
Requires explicit human approval
Full session management and post-exploitation
Evidence gathering only (read-only)
Safety
⚠️ CRITICAL: Authorization Required
Only use on systems you own OR have written permission to test
Unauthorized access to computer systems is illegal
Discovery phase: Basic authorization sufficient
Exploitation phase: Explicit approval required
Documentation
See
security://methodology/exploitationfor complete exploitation workflowSee
security://docs/metasploitfor detailed tool usageIncludes safety guidelines, workflow examples, and troubleshooting
Available Resources
Methodology Guides
Resource | Description |
| How to find attack surface |
| What to scan, in what order |
| How to validate on live targets |
| How to structure reports |
Reference Documentation
Resource | Description |
| What CRITICAL/HIGH/MEDIUM/LOW mean |
| Common weakness types |
| OWASP vulnerability categories |
| Browser automation choices |
Tool Documentation
Resource | Description |
| Overview of all tools |
| Trivy quick start |
| Semgrep quick start |
| Nuclei quick start |
| Playwright MCP info |
| Metasploit basics |
Example Workflows
First Time Setup
Before Pushing Code
Full Security Scan
Project Structure
Design Decisions
No execution tools - AI agents already have CLI access. We provide knowledge.
Plain English - Everything explained for non-technical users.
Step-by-step - Prompts tell the AI exactly what to do at each step.
Documentation proxy - Search patterns for always-current tool docs.
Minimal files - 4 files total, easy to understand and maintain.
GitHub-based distribution - No npm publish, direct from source via npx.
Browser Automation Options
For live testing that needs a browser:
Option | When to Use |
Playwright MCP | Claude Code, Cursor, most IDEs |
Browser Agent | Google Antigravity IDE (built-in) |
Puppeteer | If already in project |
Troubleshooting
Build Errors
If you see TypeScript compilation errors when installing from GitHub:
MCP Server Not Connecting
Test with MCP Inspector first (see "Testing" section above)
Check Node.js version:
node --version(requires >= 22.0.0)Verify the server runs standalone:
npx github:yunusj/VibeDefender-MCP # Should output: "Security Knowledge MCP server running on stdio"Check editor configuration file syntax (valid JSON)
Restart your AI editor after configuration changes
Permission Errors
If you get EACCES errors:
Update to Latest Version
Security Notice
Only scan systems you are authorized to test
Live validation (scan-url, scan-live) requires explicit authorization
The AI will ask for confirmation before testing URLs
Always get written permission before security testing
Follow responsible disclosure practices
License
MIT