MCP Vulnerability Checker Server

package_vulnerability_check

Check Python packages for known security vulnerabilities using the OSV database to identify risks in dependencies.

Instructions

Check for known vulnerabilities in Python packages using OSV database

Input Schema

TableJSON Schema

Name	Required	Description	Default
`package_name`	Yes	Name of the Python package to check for vulnerabilities (e.g., 'requests', 'django', 'flask')
`version`	No	Specific version to check (optional). If not provided, checks all known versions.

Implementation Reference

mcp_simple_tool/tools/package_vulnerability.py:175-244 (handler)

The primary handler function that executes the tool's logic: normalizes package name, fetches metadata from PyPI, queries OSV.dev for vulnerabilities, generates formatted report, and returns MCP TextContent or error messages.

async def check_package_vulnerabilities(
    package_name: str, version: Optional[str] = None
) -> List[types.TextContent | types.ImageContent | types.EmbeddedResource]:
    """
    Check for known vulnerabilities in a Python package.

    Args:
        package_name: Name of the Python package to check
        version: Specific version to check (optional, checks all versions if not provided)

    Returns:
        List of content containing vulnerability report or error messages
    """
    # Clean up package name
    package_name = package_name.lower().strip().replace("_", "-")

    if not package_name:
        return [
            types.TextContent(type="text", text="Error: Package name cannot be empty.")
        ]

    try:
        # Get package info from PyPI
        package_info = await get_package_info(package_name)

        if not package_info:
            return [
                types.TextContent(
                    type="text",
                    text=f"Error: Package '{package_name}' not found on PyPI. Please check the package name.",
                )
            ]

        # Query OSV for vulnerabilities
        vulns = await query_osv_vulnerabilities(package_name, version)

        # Format the report
        report = format_vulnerability_report(vulns, package_name, package_info)

        return [types.TextContent(type="text", text=report)]

    except httpx.TimeoutException:
        return [
            types.TextContent(
                type="text",
                text="Error: Request timed out while checking package vulnerabilities.",
            )
        ]
    except httpx.HTTPStatusError as e:
        return [
            types.TextContent(
                type="text",
                text=f"Error: HTTP {e.response.status_code} error while fetching vulnerability data.",
            )
        ]
    except json.JSONDecodeError:
        return [
            types.TextContent(
                type="text",
                text="Error: Invalid JSON response from vulnerability database.",
            )
        ]
    except Exception as e:
        return [
            types.TextContent(
                type="text",
                text=f"Error: Failed to check package vulnerabilities: {str(e)}",
            )
        ]

mcp_simple_tool/server.py:180-193 (schema)

JSON schema defining the tool's input parameters: required 'package_name' string and optional 'version' string.

inputSchema={
    "type": "object",
    "required": ["package_name"],
    "properties": {
        "package_name": {
            "type": "string",
            "description": "Name of the Python package to check for vulnerabilities (e.g., 'requests', 'django', 'flask')",
        },
        "version": {
            "type": "string",
            "description": "Specific version to check (optional). If not provided, checks all known versions.",
        },
    },
},

mcp_simple_tool/server.py:177-194 (registration)

Registration of the 'package_vulnerability_check' tool in the server's list_tools() method, providing name, description, and input schema.

types.Tool(
    name="package_vulnerability_check",
    description="Check for known vulnerabilities in Python packages using OSV database",
    inputSchema={
        "type": "object",
        "required": ["package_name"],
        "properties": {
            "package_name": {
                "type": "string",
                "description": "Name of the Python package to check for vulnerabilities (e.g., 'requests', 'django', 'flask')",
            },
            "version": {
                "type": "string",
                "description": "Specific version to check (optional). If not provided, checks all known versions.",
            },
        },
    },
),

mcp_simple_tool/tools/package_vulnerability.py:35-70 (helper)

Helper function that constructs and sends POST request to OSV.dev API to retrieve vulnerability data for the specified PyPI package and optional version.

async def query_osv_vulnerabilities(
    package_name: str, version: Optional[str] = None
) -> List[Dict[str, Any]]:
    """
    Query OSV database for vulnerabilities in a Python package.

    Args:
        package_name: Name of the Python package
        version: Specific version to check (optional)

    Returns:
        List of vulnerability records
    """
    osv_query = {"package": {"name": package_name, "ecosystem": "PyPI"}}

    if version:
        osv_query["version"] = version

    headers = {
        "User-Agent": "MCP Package Vulnerability Checker v1.0",
        "Content-Type": "application/json",
    }

    try:
        timeout = httpx.Timeout(15.0, connect=10.0)
        async with httpx.AsyncClient(headers=headers, timeout=timeout) as client:
            response = await client.post("https://api.osv.dev/v1/query", json=osv_query)
            response.raise_for_status()

            data = response.json()
            return data.get("vulns", [])

    except Exception:
        # Return empty list but don't print error - let caller handle it
        return []

mcp_simple_tool/tools/package_vulnerability.py:15-33 (helper)

Helper function that fetches package metadata (including latest version) from PyPI JSON API.

async def get_package_info(package_name: str) -> Optional[Dict[str, Any]]:
    """
    Get package information from PyPI to find the latest version.

    Args:
        package_name: Name of the Python package

    Returns:
        Dictionary containing package info or None if not found
    """
    try:
        timeout = httpx.Timeout(10.0, connect=5.0)
        async with httpx.AsyncClient(timeout=timeout) as client:
            response = await client.get(f"https://pypi.org/pypi/{package_name}/json")
            response.raise_for_status()
            return response.json()
    except Exception:
        return None

Tool Definition Quality

A3.7/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It states the tool checks for vulnerabilities using the OSV database, which implies a read-only, non-destructive operation, but does not detail rate limits, authentication needs, error handling, or response format. It adds some context but leaves significant behavioral aspects unspecified.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that directly states the tool's purpose without unnecessary words. It is appropriately sized and front-loaded, with every part contributing essential information.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity (2 parameters, no output schema, no annotations), the description is minimally adequate. It covers the basic purpose but lacks details on behavioral traits, output format, or integration with sibling tools, leaving gaps that could hinder effective use by an AI agent.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already fully documents both parameters ('package_name' and 'version'). The description does not add any additional meaning beyond what the schema provides, such as examples or edge cases, resulting in a baseline score of 3.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('Check for known vulnerabilities') and target resource ('Python packages using OSV database'), distinguishing it from siblings like 'cve_lookup' or 'search_vulnerabilities' by focusing on package-level vulnerability assessment rather than CVE-specific queries or broader searches.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for Python packages but does not explicitly state when to use this tool versus alternatives like 'cve_lookup' for CVE details or 'search_vulnerabilities' for broader queries. It provides basic context but lacks explicit guidance on exclusions or comparisons with sibling tools.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/firetix/vulnerability-intelligence-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server