PatchPilot MCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@PatchPilot MCPCheck if lodash@4.17.0 is safe"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
PatchPilot MCP
Security scanner for vibe coders. Checks npm packages for known vulnerabilities before you install them.
What it does
PatchPilot is an MCP server that integrates with Claude Code, Cursor, and other AI coding tools. When you're about to install a package, you can ask Claude to check if it's safe first.
Example:
You: "Check if lodash@4.17.0 is safe to use"
Claude: 🚨 lodash@4.17.0 has 4 known vulnerabilities!
...
💡 Recommendation: Update to lodash@4.17.21 or laterRelated MCP server: DepShield MCP
Installation
Prerequisites
Node.js 18+
Claude Code or another MCP-compatible client
Setup
Clone this repository:
git clone https://github.com/YOUR_USERNAME/patchpilot-mcp.git
cd patchpilot-mcpInstall dependencies:
npm installBuild:
npm run buildAdd to Claude Code
Add to your Claude Code config (~/.claude/settings.json):
{
"mcpServers": {
"patchpilot": {
"command": "node",
"args": ["/path/to/patchpilot-mcp/dist/index.js"]
}
}
}Or for development (without building):
{
"mcpServers": {
"patchpilot": {
"command": "npx",
"args": ["tsx", "/path/to/patchpilot-mcp/src/index.ts"]
}
}
}Restart Claude Code after adding the config.
Usage
Once installed, ask Claude to check packages:
"Check if express@4.17.0 is safe"
"Is next@14.1.0 secure?"
"Check lodash 4.17.0 for vulnerabilities"
How it works
PatchPilot uses the OSV API (Google's Open Source Vulnerabilities database) to check packages. The API is:
Free (no API key needed)
Fast
Comprehensive (aggregates data from npm, GitHub, NVD, and more)
Available Tools
check_package
Check a single npm package for known vulnerabilities.
Input:
name: Package name (e.g., "lodash")version: Package version (e.g., "4.17.0")
Output:
Vulnerability count and severity breakdown
Details of each vulnerability
Recommended fix version
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ProduktEntdecker/patchpilot-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server