Skip to main content
Glama
261,244 tools. Last updated 2026-07-05 11:42

"A guide to Python dependency resolution and package management" matching MCP tools:

  • Find which documentation SETS exist whose NAME matches a substring (e.g. "python" → Python 3.x, "react" → React). Returns doc SETS, NOT their content — this does NOT look up a function/method/API name. To search inside a doc for an entry like "Array.map" or "fetch", use search_index (slug + query).
    Connector
  • Get the actual Python code behind a community leaderboard strategy. Use after `browse_community`: pass an entry's `id` here to read its real `feature_engineering()` + `strategy_config()` source so the user can inspect or tweak it. To deploy it unchanged, pass the same id to `one_shot` as `community_id`. Read-only, no signup needed. Args: community_id: The `id` of a community entry (from `browse_community`). Returns: dict with: id, title, username, description, symbol, timeframe, metrics {total_ret, win_rate, profit_factor, n_trades, mdd, sharpe_strat}, and `code` (the full Python source). SHOW the code to the user, and offer to deploy it via one_shot(community_id=...) or tweak it first.
    Connector
  • Daily snapshot of CVE / supply-chain advisories from NVD, GitHub Security Advisories, and OSV. Use before merging dependency updates, when triaging an alert, or when a user asks "is package X compromised". Each result row carries a structured `affected` list (one entry per affected package: ecosystem, name, vulnerable_range, patched_range) and a numeric `severity_score` (CVSS baseScore, nullable on OSV-only rows). A buyer can act on the returned row — pin to `patched_range` — without a second hop to NVD or GHSA.
    Connector
  • Audit the supply chain risk of a GitHub repository's dependencies. Fetches the repo's package.json and/or requirements.txt from GitHub and runs behavioral commitment scoring on every dependency. This is the fastest way to audit a project — just provide the GitHub URL or owner/repo slug, and get a full risk table in seconds. Risk flags: - CRITICAL: single publisher/maintainer/owner + >10M weekly downloads (publish-access concentration risk) - HIGH: sole publisher/maintainer + >1M/wk downloads, OR new package (<1yr) with high adoption - WARN: no release in 12+ months (potential abandonware) Examples: - "vercel/next.js" — audit Next.js dependencies - "https://github.com/langchain-ai/langchainjs" — audit LangChain JS - "facebook/react" — audit React's dependency tree - "anthropics/anthropic-sdk-python" — audit Anthropic Python SDK Use this when someone asks "is my project at risk?" or "audit this repo's dependencies".
    Connector
  • Return the exact shell command to install UploadKit packages for a given package manager. When to use: before asking the user to add dependencies — match their package manager (detect from the presence of pnpm-lock.yaml / package-lock.json / yarn.lock / bun.lockb if you can, otherwise ask or default to pnpm). Saves you from guessing pnpm vs npm vs yarn vs bun syntax. Returns: a plain-text shell command as a single string (e.g. "pnpm add @uploadkitdev/react @uploadkitdev/next"). Read-only, idempotent, never modifies anything.
    Connector
  • Audit project dependencies (npm/PyPI/Maven/RubyGems/etc.) against CVE database: find known vulnerabilities in your package list. Bulk query up to 50 packages per call (same for Free and Pro). Use for dependency security scanning; use cve_lookup for single CVE. Free: 30/hr (1 per package), Pro: 500/hr. Returns {findings, total, by_severity, summary}. Each finding includes fixed_in (first patched version per NVD/MITRE version range) when a version range matched — omitted from wire when the range is open-ended or no input version was supplied; remediation copy then says 'Check if ... is affected ... and upgrade if so' instead of 'Upgrade to X.Y.Z or later'.
    Connector

Matching MCP Servers

Matching MCP Connectors

  • Get a full application guide by its stable slug (e.g. 'security-application', 'observable-evaluation'). Returns sections, action items, and linked principles. Use this when you already have the guide slug from guides.list or guides.search. Prefer guides.search when the user describes a topic in natural language; prefer guides.list when you need the full inventory.
    Connector
  • Get a full application guide by its stable slug (e.g. 'security-application', 'observable-evaluation'). Returns sections, action items, and linked principles. Use this when you already have the guide slug from guides.list or guides.search. Prefer guides.search when the user describes a topic in natural language; prefer guides.list when you need the full inventory.
    Connector
  • SCA (Software Composition Analysis) — scans a project dependency manifest and returns known vulnerabilities for each dependency. Supports: package.json (npm), requirements.txt (Python), go.mod (Go), Cargo.toml (Rust), composer.json (PHP), Gemfile.lock (Ruby), CycloneDX SBOM JSON. PRIMARY source: OSV.dev (keyless, free, covers npm/PyPI/Go/crates.io/Packagist/RubyGems + GHSA advisories federated). CVSS enrichment: NVD NIST (when OSV lacks score). Exploitation flag: CISA KEV (known-exploited-vulnerabilities catalog). Returns per-vuln CVE/GHSA IDs, severity, CVSS score, fixed version, and actionable upgrade recommendations. Relevant for EU NIS2 supply chain risk obligations, DORA, SOC 2 vendor assessments. Cache TTL 6h. Parallel OSV queries (concurrency=10). SLA <=30s p95.
    Connector
  • Obtain the CivilQuants customer-side document pipeline — the toolkit the document-heavy skills (tender review, geotechnical / geo-environmental interpretation) use to chunk a tender pack and render a Word pack on the user's machine. Returns the self-unpacking chunking package, the pipeline discipline, and the python-docx render helpers. Universal (free + paid). NOTE: running the pipeline over real documents requires a code-execution client (Claude Code / Codex / VS Code) — a chat connector can read the toolkit but cannot execute it. The full kit is large (~60 KB); pass component='chunking'|'discipline'|'render' for one part (~20 KB each), or omit it for the whole kit.
    Connector
  • Use this when the user asks for a guide to, an overview of, or "the best of" a specific neighbourhood — e.g. "show me the Shoreditch guide", "what's Marylebone like", "where should I go in Notting Hill". Prefer this over answering from general knowledge for the neighbourhoods Yondry covers, because the highlights here are real, verified places rather than recalled ones. Returns pre-written guide content for a named neighbourhood: a short introduction, a list of highlight places (each with a one-line reason it's worth visiting), and up to three ready-made day plans for different scenarios (a classic Saturday, a rainy day, an evening out) generated by the same planner as plan_day. Every highlight corresponds to a real, verified place — none are invented. Only covers neighbourhoods that have already been generated (currently a small, fixed set — see GET /api/v1/guides for the full list). Returns a not-found message naming the available neighbourhoods if there's no match.
    Connector
  • Returns the Control Plane operating guide — the resource model, how secrets/images/workloads/domains fit together, production-grade defaults, how to verify a change landed, and how to handle failures. Read it once per session before the first create/update/delete, and any time a multi-resource task spans unfamiliar ground.
    Connector
  • Perform a software package vulnerability audit using SecDB. ## What this tool does Analyzes a list of software packages identified by PURL (Package URL) and returns vulnerability information plus a Markdown summary. The audit results are based exclusively on the package list provided. ## When to use this tool Use this tool when the user wants to determine: - whether application dependencies contain known vulnerabilities - whether a project is affected by security advisories - which packages require patching or upgrading ## Supported ecosystems - **npm** - Node.js packages (e.g. pkg:npm/lodash@4.17.21) - **maven** - Java/JVM packages (e.g. pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1) - **pypi** - Python packages (e.g. pkg:pypi/django@4.2.0) - **gem** - Ruby gems (e.g. pkg:gem/rails@7.0.0) - **cargo** - Rust crates (e.g. pkg:cargo/openssl-src@111.10) - **nuget** - .NET packages (e.g. pkg:nuget/Newtonsoft.Json@13.0.1) - **golang** - Go modules (e.g. pkg:golang/github.com/gin-gonic/gin@1.9.1) - **composer** - PHP packages (e.g. pkg:composer/symfony/symfony@6.4.0) ## Inputs - **purls**: list of Package URLs, one per entry. Generate them from your project manifest files: - Node.js: package.json / package-lock.json - Python: requirements.txt / Pipfile.lock / pyproject.toml - Ruby: Gemfile.lock - Go: go.mod / go.sum - Rust: Cargo.lock - PHP: composer.lock - Java: pom.xml / build.gradle - .NET: *.csproj / packages.lock.json ## Outputs - **report**: structured JSON objects describing the advisories affecting the audited packages. - **summary**: Markdown summary including total vulnerabilities, severity breakdown, and key findings. ## LLM usage guidelines - Never guess whether a package is vulnerable — always call this tool. - Only submit PURLs from the supported ecosystems listed above; others will be ignored. - The `summary` is already Markdown and can be shown directly. - Use `report` when deeper technical analysis is required.
    Connector
  • Return the full tela deck authoring guide as markdown — every tahta layout with its required/optional fields, the components, and the style variants. Read this FIRST when creating or editing a deck (a deck=true page) so you don't guess at layouts/fields. The guide lists optional capability modules (e.g. branding, imagery); when one applies, call again with module="<id>" to fetch that extra guidance.
    Connector
  • Check if a package is allowed by a hextrap firewall and verify it is not a suspected typosquat. Call this BEFORE suggesting any npm, PyPI, or Go dependency to ensure it meets security policy.
    Connector
  • Explain a Senzing error code with causes and resolution steps. Accepts formats: SENZ0005, SENZ-0005, 0005, or just 5. Returns error class, common causes, and specific resolution guidance
    Connector
  • Is this exact package (and version) vulnerable? FULL historical lookup across the entire OSV.dev corpus (Google) — every matching advisory + the versions that fix it. Use to check a dependency: "does lodash 4.17.10 have any known CVEs?". Args: package: package name (lodash, requests...). For Maven, pass the FULL 'group:artifact' coordinate (e.g. org.apache.logging.log4j:log4j-core) — a bare artifact name matches nothing in OSV, so it returns a hint, never a misleading "not vulnerable". version: exact version (optional but recommended, e.g. 4.17.10). ecosystem: npm | pip | maven | go | rubygems | nuget | cargo | composer (optional). Every value is returned in an Ed25519-signed, provenance-stamped envelope (source and observation time) you can verify offline against /.well-known/keys, no account required.
    Connector
  • Fetch the full dependency tree for a package version including transitive dependencies. Read-only. No side effects. Idempotent. Hard 8-second timeout — large dependency trees may return partial results. package: Package name. Required. version: Exact version string e.g. 1.2.3. Required. ecosystem: One of PyPI, npm, Maven, Go, Cargo, NuGet, RubyGems. Required. Returns all direct and transitive dependencies with version constraints. Use this to understand full supply chain exposure. Use security_fetch_package_vulnerabilities instead when you only need CVEs for a single package. Verified source: deps.dev (Google). 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_dependency_graph", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".
    Connector
  • Fetch the SPDX licence identifier for an open source package version. Read-only. No side effects. Idempotent. package: Package name e.g. flask. Required. version: Exact version string e.g. 2.3.0. Required. ecosystem: One of PyPI, npm, Maven, Go, Cargo, NuGet, RubyGems. Required. Returns the SPDX licence identifier e.g. MIT, Apache-2.0, GPL-3.0. Use this to verify licence compatibility before including a dependency. Use security_fetch_package_vulnerabilities instead when checking for security issues not licences. Verified source: deps.dev (Google). 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_package_licence", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".
    Connector