Provides automated security audits of Firebase security rules to identify potential vulnerabilities and misconfigurations.
Integrates with npm audit to scan project dependencies for known vulnerabilities and security risks.
Enriches security audit findings with OWASP security categories and standardized vulnerability references.
Analyzes Prisma schemas for database-related security vulnerabilities and configuration issues.
Scans Supabase security rules to detect data exposure risks and access control vulnerabilities.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@VibeCheck MCP Serveraudit my authentication logic and check for vulnerable npm dependencies"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
VibeCheck MCP Server
AI-powered security audit tool for codebases. Analyzes code for vulnerabilities using real-time data from MITRE CWE and npm audit.
Features
AI-Powered Analysis: Uses MCP sampling to analyze code with Claude
Real-Time CWE Data: Fetches vulnerability definitions from MITRE's CWE API
Dependency Scanning: Uses npm audit for package vulnerability checks
Zero Configuration: No API keys required to get started
Installation
Claude Code (Recommended)
/plugin marketplace add philiphess1/vibecheck-mcp
/plugin install vibecheck@vibecheckManual Installation
Add to your Claude Desktop config (~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"vibecheck": {
"command": "npx",
"args": ["-y", "vibecheck-audit-mcp"]
}
}
}From Source
git clone https://github.com/philiphess1/vibecheck-mcp.git
cd vibecheck-mcp
npm install && npm run buildTools
scan_codebase
Full AI-powered security audit with real-time vulnerability data.
Analyzes:
Authentication and authorization issues
API security vulnerabilities
Database security rules
Exposed secrets and environment variables
Dependency vulnerabilities (via npm audit)
Data flow and injection vulnerabilities
Input:
{
"path": "/path/to/codebase",
"categories": ["auth", "api", "secrets-env"],
"severityThreshold": "medium"
}Or provide files directly:
{
"files": [
{ "path": "src/auth.ts", "content": "..." }
]
}Categories:
auth- Authentication, sessions, middlewareapi- API routes, endpointsdatabase-rules- Firebase/Supabase rules, Prisma schemassecrets-env- Environment variables, config filesdependencies- package.json vulnerabilitiesdata-flow- User input handling, injection points
check_dependencies
Quick dependency-only scan using npm audit.
Input:
{
"path": "/path/to/project",
"includeDevDependencies": false
}Requirements:
npm installed
package-lock.jsonin the project
Data Sources
Source | Purpose | Auth Required |
MITRE CWE API | Vulnerability definitions | No |
npm audit | Package CVEs | No |
OWASP | Security categories | No (bundled) |
Development
# Build
npm run build
# Watch mode
npm run dev
# Run directly
npm startHow It Works
File Reading: Reads files from the specified path or accepts file contents directly
Hotspot Collection: Categorizes files by security relevance (auth, api, secrets, etc.)
Dependency Audit: Runs
npm auditif package-lock.json existsAI Analysis: Uses MCP sampling to analyze each category with expert prompts
CWE Enrichment: Fetches relevant CWE definitions from MITRE API
Results: Returns structured findings with severity, CWE/OWASP refs, and remediation steps
Output Format
{
"findings": [
{
"id": "uuid",
"type": "hardcoded-secret",
"severity": "critical",
"title": "Hardcoded API Key",
"description": "...",
"filePath": "src/config.ts",
"lineNumber": 42,
"codeSnippet": "const API_KEY = 'sk-...'",
"aiReasoning": "...",
"confidence": 95,
"cwes": [{ "id": "CWE-798", "name": "..." }],
"owasp": [{ "id": "A02:2021", "name": "..." }],
"remediation": {
"summary": "Use environment variables",
"steps": ["..."]
}
}
],
"dependencyVulnerabilities": [...],
"summary": {
"totalFindings": 5,
"critical": 1,
"high": 2,
"medium": 2,
"low": 0,
"vulnerableDependencies": 3
},
"scanDuration": 12500
}License
MIT