supply-chain-mcp-server
This server provides comprehensive supply chain security intelligence, unifying 21 data sources into a single MCP interface for AI agents to perform full-spectrum package and vulnerability analysis.
Vulnerability & Threat Intelligence
Query OSV, GHSA, NVD, and Go Vulnerability Database for known CVEs by package, commit hash, or PURL
Get EPSS exploit prediction scores (single, batch, or threshold-filtered) and check CISA Known Exploited Vulnerabilities (KEV) catalog
Package Registry Metadata
Fetch metadata, version histories, maintainers, download stats, and lifecycle scripts across 7 ecosystems: npm, PyPI, crates.io, RubyGems, NuGet, Packagist, and Go module proxy
npm extras: provenance attestations, bulk audit, and download anomaly detection
Dependency Analysis
Explore dependency trees, reverse dependencies, similar packages, and version requirements via deps.dev and Libraries.io (including SourceRank quality scores)
Provenance & Integrity
Verify npm Sigstore provenance, search/verify Rekor transparency log entries by email, hash, or public key, and validate Go module checksums
Security Posture & Quality
Assess OpenSSF Scorecard scores (with side-by-side repo comparison), Best Practices badge status, and Repology distribution packaging issues
Typosquatting Detection
Detect suspicious package names using Levenshtein distance (≤ 2) against popular packages and warn about confusable characters
License Compliance
Look up curated license data from ClearlyDefined for individual packages or in batch
Aggregated Workflows
Composite tools (
vuln_scan,package_info,dep_tree,security_check,quality,license) run multiple sources in parallel for unified risk assessmentList all 21 data sources with configuration status and required API keys
Provides tools for querying GitHub Security Advisories (GHSA) and leveraging GitHub API for enhanced rate limits on vulnerability and security data.
Provides tools for querying Libraries.io to obtain dependency metrics, source rank, and library intelligence across multiple ecosystems.
Provides tools for querying npm package metadata, including package details, provenance verification, and security advisory information.
Provides tools for querying NuGet package metadata and associated vulnerability data.
Provides tools for querying Packagist package metadata and security information.
Provides tools for querying PyPI package metadata and vulnerability information.
Provides tools for querying RubyGems package metadata and security advisories.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@supply-chain-mcp-serveraudit package express 4.18.2 for vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
The Problem
Supply chain security intelligence is the missing layer in modern software development. Vulnerability databases, package registries, provenance verification, exploit prediction scoring, license compliance, security scorecards, typosquatting detection — the data you need is scattered across dozens of platforms, each with its own API, its own auth, its own rate limits, its own output format. Today you check OSV in one tab, NVD in another, pull up npm advisories, check EPSS scores on FIRST.org, verify Sigstore provenance in yet another tab, look up OpenSSF Scorecard, cross-reference CISA KEV, and then spend an hour manually piecing it all together.
Traditional supply chain security workflow:
check vulnerabilities -> OSV + NVD + GitHub Advisories (3 separate UIs)
assess exploit likelihood -> EPSS scores (separate API)
check active exploitation -> CISA KEV catalog (separate JSON feed)
verify package provenance -> Sigstore/Rekor + npm attestations (multiple CLIs)
check security practices -> OpenSSF Scorecard + Best Practices Badge (2 UIs)
audit dependencies -> deps.dev + Libraries.io (2 more UIs)
check registry metadata -> npm + PyPI + crates.io + Go (4 registries)
check for typosquatting -> manual name comparison (error-prone)
verify license compliance -> ClearlyDefined (another UI)
check distro packaging -> Repology (yet another UI)
────────────────────────────────
Total: 45+ minutes per package audit, most of it switching contextssupply-chain-mcp-server gives your AI agent 7 composite tools (orchestrating 90 techniques internally) across 21 data sources via the Model Context Protocol. The agent calls a single tool like vuln_scan or package_info, which automatically fans out to the right techniques in parallel, correlates vulnerability data with exploit predictions, verifies provenance, checks security posture, and presents a unified supply chain risk assessment — in a single conversation.
With supply-chain-mcp-server:
You: "Audit the security posture of the express npm package"
Agent: -> vuln_scan(mode:"package", ecosystem:"npm", name:"express")
internally runs: osv_query + ghsa_package + epss_batch + kev_lookup
-> package_info(ecosystem:"npm", name:"express", version:"4.21.2")
internally runs: npm_package + npm_downloads + npm_maintainers + npm_scripts + npm_provenance
-> quality(mode:"scorecard", owner:"expressjs", repo:"express")
internally runs: scorecard_repo
-> "express has a strong security posture. 2 known vulns but
neither actively exploited (not in KEV). High EPSS on one
CVE warrants patching priority. Provenance verified via
Sigstore. OpenSSF Scorecard 8.2/10."Related MCP server: DepScope
How It's Different
Existing tools give you raw data one source at a time. supply-chain-mcp-server gives your AI agent the ability to reason across vulnerability, provenance, and package intelligence simultaneously.
Quick Start
Option 1: npx (no install)
npx supply-chain-mcp-server7 composite tools (90 techniques) work immediately. No API keys required for most data sources — 18 of 21 sources are fully free.
Option 2: Clone
git clone https://github.com/badchars/supply-chain-mcp-server.git
cd supply-chain-mcp-server
bun installEnvironment variables (optional)
export GITHUB_TOKEN=your-token # GHSA + Scorecard higher rate limits
export LIBRARIES_API_KEY=your-key # Required for Libraries.io tools
export NVD_API_KEY=your-key # 50 req/30s vs 5 req/30s without keyAll API keys are optional. Without them, you still get 6 of 7 composite tools fully operational — only Libraries.io (within dep_tree) requires an API key.
Connect to your AI agent
# With npx
claude mcp add supply-chain-mcp-server -- npx supply-chain-mcp-server
# With local clone
claude mcp add supply-chain-mcp-server -- bun run /path/to/supply-chain-mcp-server/src/index.tsAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"supply-chain": {
"command": "npx",
"args": ["-y", "supply-chain-mcp-server"],
"env": {
"GITHUB_TOKEN": "optional",
"LIBRARIES_API_KEY": "optional",
"NVD_API_KEY": "optional"
}
}
}
}Same JSON config format. Point the command to npx supply-chain-mcp-server or your local installation path.
Start querying
You: "Check if express@4.17.1 has any known vulnerabilities and verify its provenance"That's it. The agent handles vulnerability lookups, EPSS scoring, KEV checks, provenance verification, and more automatically.
What The AI Can Do
Full Package Audit
You: "Do a complete security audit of the lodash npm package"
Agent: -> vuln_scan {mode: "package", ecosystem: "npm", name: "lodash"}
↳ osv_query + ghsa_package + epss_batch + kev_lookup (parallel)
-> package_info {ecosystem: "npm", name: "lodash", version: "4.17.21"}
↳ npm_package + npm_downloads + npm_maintainers + npm_scripts + npm_provenance + npm_attestations + npm_audit_bulk (parallel)
-> quality {mode: "scorecard", owner: "lodash", repo: "lodash"}
↳ scorecard_repo
-> license {mode: "lookup", type: "npm", name: "lodash", version: "4.17.21"}
↳ license_lookup
-> "lodash@4.17.21 security audit:
Vulnerabilities: 3 historical (all fixed in 4.17.21),
including prototype pollution CVE-2020-8203.
Provenance: No Sigstore attestation (published pre-provenance era).
OpenSSF Scorecard: 6.1/10 — no branch protection, no fuzzing.
Dependencies: Zero runtime deps (self-contained).
License: MIT (ClearlyDefined confirmed).
Lifecycle scripts: None — clean.
Recommendation: Safe to use at latest version. Consider
migrating to lodash-es for tree-shaking."Vulnerability Triage
You: "Triage CVE-2024-3094 — how urgent is this?"
Agent: -> vuln_scan {mode: "cve", cve_id: "CVE-2024-3094"}
↳ nvd_cve + osv_id + ghsa_id + epss_score + kev_lookup (parallel)
-> "CVE-2024-3094 (xz-utils backdoor):
CVSS: 10.0 Critical — backdoor in xz-utils 5.6.0/5.6.1
EPSS: 0.95 (99th percentile) — extremely likely to be exploited
CISA KEV: YES — actively exploited, deadline March 2024
Affects: xz-utils/liblzma on Linux (sshd via systemd)
This is CRITICAL. Immediate action required:
1. Downgrade xz-utils to 5.4.x or remove 5.6.0/5.6.1
2. Check all systems for affected versions
3. This was a sophisticated supply chain attack via
a compromised maintainer."Dependency Risk Assessment
You: "Assess the supply chain risk of adding fastapi to our Python project"
Agent: -> package_info {ecosystem: "pypi", name: "fastapi"}
↳ pypi_package + pypi_releases + pypi_maintainers (parallel)
-> vuln_scan {mode: "package", ecosystem: "PyPI", name: "fastapi"}
↳ osv_query + ghsa_package + epss + kev (parallel)
-> dep_tree {mode: "dependencies", ecosystem: "pypi", name: "fastapi", version: "0.115.0"}
↳ deps_dependencies + deps_requirements + libraries_deps (parallel)
-> quality {mode: "full", owner: "tiangolo", repo: "fastapi", repo_url: "https://github.com/tiangolo/fastapi"}
↳ scorecard_repo + badge_by_repo (parallel)
-> security_check {mode: "typosquat", name: "fastapi", ecosystem: "pypi"}
↳ typosquat_check
-> "fastapi supply chain risk assessment:
Vulnerabilities: 1 low-severity (fixed in latest).
Dependencies: 5 direct (starlette, pydantic, etc.), 23 transitive.
OpenSSF Scorecard: 7.4/10 — good CI/CD, signed releases.
Maintainer: single primary maintainer (tiangolo).
Typosquatting: 'fast-api' and 'fastapi2' exist — verify
you're installing the correct package.
Risk: LOW. Well-maintained, active community, good security
practices. Single-maintainer risk is mitigated by strong
automation and community oversight."Typosquatting Detection
You: "I'm about to install 'reqeusts' from PyPI — is this safe?"
Agent: -> security_check {mode: "typosquat", name: "reqeusts", ecosystem: "pypi"}
↳ typosquat_check
-> security_check {mode: "compare_names", name_a: "reqeusts", name_b: "requests"}
↳ typosquat_compare
-> "WARNING: 'reqeusts' is a likely typosquat of 'requests'.
Edit distance: 2 (transposed 'ue' -> 'eu')
Similarity: 87.5%
The legitimate package is 'requests' (800M+ monthly downloads).
'reqeusts' has very low downloads and was likely published
to exploit typos. DO NOT install this package.
Correct command: pip install requests"Composite Tools (7 tools, 90 techniques)
The AI agent sees only 7 composite tools (~1K tokens), each orchestrating multiple techniques in parallel internally.
Composite Tool | Techniques | Modes | Description |
| 24 |
| Vulnerability intelligence across OSV, GHSA, NVD, EPSS, CISA KEV, Go Vuln DB |
| 33 | by ecosystem | Package metadata — auto-dispatches to npm (10), PyPI (4), crates.io (4), Go (3), RubyGems (4), NuGet (4), Packagist (4) |
| 14 |
| Dependency graph intelligence via deps.dev + Libraries.io |
| 7 |
| Supply chain threat detection: typosquatting, provenance, Sigstore |
| 8 |
| Project quality: OpenSSF Scorecard, Best Practices Badge, Repology |
| 3 |
| License compliance analysis via ClearlyDefined |
| 1 | — | List all data sources with configuration status |
Individual Techniques (90)
Run npx supply-chain-mcp-server --list-all to see the full list.
Tool | Description |
| Query OSV database for known vulnerabilities affecting a specific package and optional version |
| Query OSV database for vulnerabilities associated with a specific git commit hash |
| Query OSV database using a Package URL (purl) for known vulnerabilities |
| Batch query OSV database for vulnerabilities across multiple packages at once |
| Fetch full vulnerability details from OSV by ID (OSV, CVE, GHSA, RUSTSEC, PYSEC, etc.) |
Tool | Description |
| Fetch a GitHub Security Advisory by its GHSA or CVE identifier |
| Search GitHub Security Advisories by keyword, ecosystem, and severity |
| List GitHub Security Advisories affecting a specific package in a given ecosystem |
| List the most recently updated GitHub Security Advisories |
Tool | Description |
| Fetch full CVE details from NVD (NIST National Vulnerability Database) by CVE ID |
| Search NVD for CVEs by keyword and optional CVSS v3 severity |
| Fetch recently published CVEs from NVD within a given number of days |
Tool | Description |
| Get EPSS exploit probability and percentile for a single CVE ID |
| Batch EPSS scores for multiple CVEs (up to 100) in a single request |
| Get the highest EPSS-scoring CVEs (most likely to be exploited) |
| Find CVEs with EPSS score above a given threshold |
Tool | Description |
| Check if a CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog |
| Search KEV entries by keyword (matched against vendor, product, name, description) |
| Get recently added KEV entries within the last N days |
| Get KEV catalog statistics: total count, top vendors, entries per year, and ransomware usage breakdown |
Tool | Description |
| Fetch npm package metadata including description, latest version, maintainers, license, repository, homepage, and publish timeline |
| Fetch metadata for a specific npm package version including dependencies, dist info (tarball, shasum, integrity), scripts, and deprecation status |
| Fetch npm download counts for a package over a given period (last-day, last-week, last-month) |
| Search the npm registry for packages matching a query string |
| Extract maintainers and publish timeline from an npm package — critical for detecting maintainer takeover attacks |
| Extract and analyze lifecycle scripts from a specific npm package version — flags suspicious commands (curl, wget, eval, exec, etc.) commonly used in supply-chain attacks |
| Check whether an npm package version has Sigstore provenance attestations and signatures |
| Bulk query npm security advisories for a set of packages and versions |
| Fetch full Sigstore attestation bundles for an npm package version — returns SLSA provenance and publish attestations |
| Get day-by-day npm download counts for a date range — useful for detecting download anomalies or dependency confusion attacks |
Tool | Description |
| Fetch PyPI package metadata including author, license, summary, project URLs, classifiers, and Python version requirements |
| Fetch metadata for a specific PyPI package version including release URLs with upload times, file sizes, digests, and yanked status |
| List all releases of a PyPI package with upload dates, sizes, and yanked status — useful for detecting suspicious rapid version bumps |
| Extract author and maintainer information from a PyPI package — useful for detecting ownership changes |
Tool | Description |
| Fetch crates.io crate metadata including description, download counts, max version, repository, homepage, categories, and keywords |
| List all versions of a crate with version number, yanked status, license, crate size, creation date, and download count |
| Fetch dependencies for a specific crate version including dependency kind (normal/dev/build), version requirement, and optional flag |
| List owners of a crate on crates.io — useful for detecting ownership changes |
Tool | Description |
| Fetch RubyGems gem metadata including name, version, authors, description, download counts, project URI, and source code URI |
| List all versions of a RubyGems gem with release dates, platform info, and version numbers |
| Search the RubyGems registry for gems matching a query string |
| Get reverse dependencies of a RubyGems gem — useful for assessing blast radius of a compromised package |
Tool | Description |
| Fetch NuGet package registration metadata including all versions, dependency groups, descriptions, and catalog entries |
| Search the NuGet registry for packages matching a query string |
| List all published versions of a NuGet package from the flat container index |
| Get specific version details from NuGet including dependency groups, description, license, and catalog metadata |
Tool | Description |
| Get PHP/Composer package metadata from Packagist including versions, description, maintainers, and repository information |
| Search Packagist for PHP packages matching a query string |
| Get Packagist package download statistics including total, monthly, and daily download counts |
| Get security advisories for PHP packages from Packagist — returns known vulnerabilities and CVEs |
Tool | Description |
| Fetch Go module info from the module proxy: latest version and all available versions |
| Fetch info and go.mod contents for a specific Go module version — returns parsed dependency list |
| Look up a Go module version in the checksum database (sum.golang.org) for hash verification |
Tool | Description |
| Fetch a Go vulnerability by its ID from the Go Vulnerability Database |
| List all Go vulnerability IDs from the database index |
| Get Go Vulnerability Database metadata including last modified time |
| Find Go vulnerabilities affecting a specific module |
Tool | Description |
| Look up a package on deps.dev to get metadata, versions, and security information |
| Get detailed info about a specific package version from deps.dev including links, licenses, and advisories |
| Get the dependency tree for a specific package version from deps.dev |
| Get packages that depend on a specific package version from deps.dev |
| Fetch a security advisory by key (e.g. GHSA-xxxx-xxxx-xxxx) from deps.dev |
| Get project information from deps.dev by repository URL |
| Look up a package by its SHA256 artifact hash on deps.dev |
| Get the requirements (version constraints) for a specific package version from deps.dev |
| Find similarly named packages on deps.dev for typosquatting detection |
| Look up a package by Package URL (purl) on deps.dev |
Tool | Description |
| Get the OpenSSF Scorecard security score for a GitHub repository, including individual check results |
| Compare OpenSSF Scorecard security scores across 2-5 GitHub repositories side by side |
Tool | Description |
| Get OpenSSF Best Practices badge status and criteria for a project by ID |
| Search OpenSSF Best Practices badge projects |
| Find OpenSSF Best Practices badge by GitHub repository URL |
Tool | Description |
| Get package metadata from Libraries.io including repository info, versions, and popularity metrics |
| Get dependencies for a specific package version from Libraries.io |
| Get packages that depend on a specific package from Libraries.io |
| Get the SourceRank quality score breakdown for a package from Libraries.io |
Tool | Description |
| Get curated license data for a software component from ClearlyDefined |
| Batch license lookup for multiple components via ClearlyDefined |
| Search ClearlyDefined for components by pattern |
Tool | Description |
| Search the Rekor transparency log by email, SHA256 hash, or public key fingerprint |
| Retrieve a specific Rekor transparency log entry by UUID, including body, attestation, and inclusion proof |
| Get the current Rekor transparency log status including rootHash, treeSize, and signedTreeHead |
| Retrieve multiple Rekor log entries by their UUIDs or log indexes in a single request |
| Verify whether a SHA256 artifact hash has been recorded in the Rekor transparency log |
Tool | Description |
| Get package versions across all Linux distributions from Repology |
| Find packaging problems/issues for a repository on Repology |
| Search Repology projects by name |
Tool | Description |
| Check if a package name is suspiciously similar to popular packages (potential typosquatting) — returns matches with edit distance <= 2 |
| Compare two package names directly to assess typosquatting risk, showing edit distance, similarity percentage, character-level diff, and confusable character warnings |
Tool | Description |
| List all 21 supply chain security data sources with configuration status, API key status, and tool counts |
CLI Usage
# List 7 composite tools
npx supply-chain-mcp-server --list
# List all 90 individual techniques
npx supply-chain-mcp-server --list-all
# Run composite tools
npx supply-chain-mcp-server --tool vuln_scan '{"mode":"cve","cve_id":"CVE-2024-3094"}'
npx supply-chain-mcp-server --tool vuln_scan '{"mode":"package","ecosystem":"npm","name":"express"}'
npx supply-chain-mcp-server --tool package_info '{"ecosystem":"npm","name":"express","version":"4.21.2"}'
npx supply-chain-mcp-server --tool security_check '{"mode":"typosquat","name":"reqeusts","ecosystem":"pypi"}'
npx supply-chain-mcp-server --tool quality '{"mode":"scorecard","owner":"expressjs","repo":"express"}'
npx supply-chain-mcp-server --tool dep_tree '{"mode":"dependencies","ecosystem":"npm","name":"express","version":"4.21.2"}'
# Individual techniques also work (backward compatible)
npx supply-chain-mcp-server --tool osv_query '{"ecosystem":"npm","name":"express"}'
npx supply-chain-mcp-server --tool epss_score '{"cve_id":"CVE-2024-3094"}'Data Sources (21)
Source | Auth | Rate Limit | What it provides |
None | 1 req/s | Cross-ecosystem vulnerability database (npm, PyPI, Go, Rust, etc.) | |
Optional | 1 req/s | Security advisories for GitHub-tracked packages | |
Optional | 5 req/30s (50 with key) | CVE details, CVSS scores, CPE matching, keyword search | |
None | 2 req/s | Exploit Prediction Scoring System — probability of CVE exploitation | |
None | 0.5 req/s | Known Exploited Vulnerabilities catalog with remediation deadlines | |
None | 2 req/s | Package metadata, versions, scripts, provenance, attestations, advisories | |
None | 2 req/s | Python package metadata, versions, releases, maintainer info | |
None | 1 req/s | Rust crate metadata, versions, dependencies, owners | |
None | 1 req/s | Ruby gem metadata, versions, reverse dependencies | |
None | 2 req/s | .NET package metadata, versions, dependency groups | |
None | 1 req/s | PHP/Composer packages, download stats, security advisories | |
None | 2 req/s | Go module versions, go.mod contents, checksum verification | |
None | 2 req/s | Go-specific vulnerability advisories by module | |
None | 5 req/s | Cross-ecosystem dependency graphs, advisories, project info, purl lookup | |
Optional | 1 req/s | Repository security scoring across 18 checks | |
None | 1 req/s | Best Practices badge status and criteria | |
| 1 req/s | Package popularity, SourceRank, cross-platform dependency data | |
None | 2 req/s | Curated license data across ecosystems | |
None | 2 req/s | Transparency log for software signing — provenance verification | |
None | 1 req/s | Package versions across Linux distributions | |
None | N/A | Built-in Levenshtein distance + confusable character analysis |
Architecture
src/
index.ts # CLI entrypoint (--help, --list, --list-all, --tool, stdio server)
composite/ # 7 composite tools (MCP-registered)
helpers.ts # callTool(), callToolsParallel(), buildCompositeResponse(), TOOL_REGISTRY
vuln-scan.ts # vuln_scan — 24 techniques (5 modes)
package-info.ts # package_info — 33 techniques (7 ecosystems)
dep-tree.ts # dep_tree — 14 techniques (6 modes)
security-check.ts # security_check — 7 techniques (5 modes)
quality.ts # quality — 8 techniques (5 modes)
license.ts # license — 3 techniques (3 modes)
meta.ts # meta — 1 technique
index.ts # compositeTools barrel export
protocol/
mcp-server.ts # MCP server setup (stdio transport)
tools.ts # Tool registry — imports compositeTools
types/
index.ts # Shared types (ToolDef, ToolContext, ToolResult)
utils/
rate-limiter.ts # Per-provider rate limiter
cache.ts # TTL cache for API responses
http.ts # Native fetch() wrapper with error handling
require-key.ts # API key validation helper
osv/ # 5 techniques govuln/ # 4 techniques
ghsa/ # 4 techniques depsdev/ # 10 techniques
nvd/ # 3 techniques scorecard/ # 2 techniques
epss/ # 4 techniques badge/ # 3 techniques
kev/ # 4 techniques libraries/ # 4 techniques
npm/ # 10 techniques clearlydefined/# 3 techniques
pypi/ # 4 techniques rekor/ # 5 techniques
crates/ # 4 techniques repology/ # 3 techniques
rubygems/ # 4 techniques typosquat/ # 2 techniques
nuget/ # 4 techniques meta/ # 1 technique
packagist/ # 4 techniques
go/ # 3 techniquesDesign decisions:
Composite architecture — 7 composite tools registered with MCP, each orchestrating multiple individual techniques. LLM context reduced from ~12K tokens (90 tool definitions) to ~1K tokens (7 composites).
22 providers, 1 server — Every data source is an independent module. Composite tools dispatch to the right provider techniques based on mode/ecosystem.
Per-provider rate limiters — Each data source has its own
RateLimiterinstance calibrated to that API's limits. No shared bottleneck.TTL caching — Vulnerability data (5-30min), package metadata (5-15min), KEV catalog (60min), scorecard data (30min) are cached to avoid redundant API calls during multi-tool workflows.
Graceful degradation — Missing API keys don't crash the server. Tools return descriptive error messages: "Set LIBRARIES_API_KEY to enable Libraries.io tools."
2 dependencies —
@modelcontextprotocol/sdkandzod. All HTTP via nativefetch(). No external HTTP libraries needed.Backward compatible —
--toolCLI accepts both composite and individual technique names.--list-allshows all 90 techniques.
Limitations
Libraries.io tools require a (free) API key from libraries.io
NVD free tier is limited to 5 requests per 30 seconds (50 with API key)
GHSA and Scorecard benefit from
GITHUB_TOKENfor higher rate limitsCISA KEV is fetched as a single JSON file (~2MB) and cached for 60 minutes
Typosquatting detection compares against a curated list of top npm/PyPI packages (not exhaustive)
Go checksum database (sum.golang.org) may return 404 for very old or vendored-only modules
Repology API has strict rate limits and may throttle aggressive querying
ClearlyDefined coverage varies by ecosystem — npm and Maven have best coverage
macOS / Linux tested (Windows not tested)
Part of the MCP Security Suite
Project | Domain | Tools |
Browser-based security testing | 39 tools, Firefox, injection testing | |
Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks | |
GitHub security posture | 39 tools, 45 checks | |
Vulnerability intelligence | 23 tools, 5 sources | |
OSINT & reconnaissance | 37 tools, 12 sources | |
Dark web & threat intelligence | 66 tools, 16 sources | |
Digital fingerprinting | 13 tools, 103 techniques | |
supply-chain-mcp-server | Software supply chain security | 7 tools, 90 techniques, 21 sources |
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/supply-chain-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server