"Spring Security" matching MCP tools:

• inspect_security_headers

  Ground Truth - First Tool Call

  Fetch a public URL and inspect security-relevant response headers before you claim that a product or endpoint has a strong browser-facing security baseline. Use this for quick due diligence on public apps and docs sites. It checks for common headers such as HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options. It does not replace a real security review, authenticated testing, or vulnerability scanning.

  Connector

• check_injection

  ContrastAPI

  Scan source code for injection vulnerabilities: SQL injection, command injection, path traversal via unsafe string concatenation/unsanitized input. Supports Python, JavaScript, TypeScript, Java, Go, Ruby, Shell, Bash. Use to detect input-handling bugs; for secrets use check_secrets. Companion code-security tools: check_secrets (hard-coded credential detection), check_dependencies (known-CVE vulnerability audit), check_headers (live HTTP security-header validation), scan_headers (live HTTP scan via domain). Free: 30/hr, Pro: 500/hr. Returns {total, by_severity, findings}. No data stored.

  Connector

• package_health

  dynamic-feed

  Health & security posture of a software package (npm / PyPI / Go / Maven / Cargo / NuGet / RubyGems) from deps.dev (Google Open Source Insights, keyless): latest version, license, count of known security advisories, the OpenSSF Scorecard (0-10 security-posture score for the source repo + its weakest checks) and popularity (stars/forks). The "should I depend on this?" check — pairs with check_vulnerability (is a version vulnerable) and software_version (is the runtime current). Args: package (e.g. "lodash", "requests"), ecosystem (npm|pypi|go|maven|cargo|nuget|rubygems), version (optional — defaults to the latest).

  Connector

• scan_skill

  SecurityScan

  Scan a GitHub repository or skill URL for security vulnerabilities. This tool performs static analysis and AI-powered detection to identify: - Hardcoded credentials and API keys - Remote code execution patterns - Data exfiltration attempts - Privilege escalation risks - OWASP LLM Top 10 vulnerabilities Requires a valid X-API-Key header. Cached results (24h) do not consume credits. Args: skill_url: GitHub repository URL (e.g., https://github.com/owner/repo) or raw file URL to scan Returns: ScanResult with security score (0-100), recommendation, and detected issues. Score >= 80 is SAFE, 50-79 is CAUTION, < 50 is DANGEROUS. Example: scan_skill("https://github.com/anthropics/anthropic-sdk-python")

  Connector

• get_product_recommendation

  Custom Blinds Shop

  Translate a customer's primary concern into a product recommendation. primary_concern must be one of: blockout, heat, glare, moisture, privacy, security, automation. Optionally narrow by room (bedroom, lounge, etc.), location, budget, and aesthetic. Returns a recommended product_id with rationale — pass it to get_price or configure_product next. Security concern routes to brochure MCP (Garden Route customers only).

  Connector

• audit_domain

  ContrastAPI

  Perform comprehensive domain audit: combines domain_report + live HTTP security headers + technology fingerprinting. By default report.dns.txt is filtered to security-relevant entries (SPF, DMARC, DKIM, MTA-STS, TLS-RPT) and report.dns.total_txt_records reports the honest pre-filter count; pass include_all_txt=true for the raw TXT list. Use when you need the full picture (recon + active checks); use domain_report for passive-only assessment. Response carries next_calls — chain with subdomain_enum (always emitted) and ssl_check (when an A record resolves) for the residual recon depth (tech_fingerprint already inline as `technologies`). Free: 30/hr (costs 6 credits), Pro: 500/hr. Returns {domain, report, technologies, live_headers, summary, next_calls}.

  Connector

• get_my_schedule

  ssuMCP

  Returns the authenticated student's u-SAINT timetable grouped by course. Without year and term it returns the current u-SAINT selected semester; pass both year and term to fetch a specific semester. Term values: 1=spring, 2=summer, 3=fall, 4=winter. Requires mcp_session_id with the SAINT provider linked via start_auth. Returns AUTH_REQUIRED with a loginUrl if SAINT is not authenticated — show the loginUrl to the user and ask them to open it in a browser, then retry this call with the returned mcp_session_id.

  Connector

• product_load_context

  website-search

  Load Lenny Zeltser's product strategy context for local analysis. Returns expert strategic frameworks, principles, and guidance for evaluating or creating security product plans. Includes rating-sheet items (the lens taxonomy: structure, words, tone) as concrete reference points for grounded feedback on the plan's writing. This server never requests your plans and instructs your AI to keep them local. Use detail_level to control response size: "minimal" (~2k tokens), "standard" (~5k tokens), "compact" (~3-4k tokens, all sections but stripped), or "comprehensive" (~12k tokens). Use market_segment: "smb" for SMB-specific guidance. Use product_focus: "endpoint" for endpoint security viability assessment. Set include_template: true to include the fill-in-the-blank template in the response.

  Connector

• lookup_headers

  botoi-mcp

  Fetch HTTP response headers for a URL. Use when inspecting server configuration, security headers, or caching policies.

  Connector

• askew_intel_feed

  Askew x402

  Aggregated intelligence feed combining research findings, active security threats, and live staking APY snapshot in a single call ($0.005 USDC). Sources: ChromaDB research library + Guardian log + staking.db. Best for: broad situational awareness — replaces three separate calls. Requires x402 payment on Base mainnet.

  Connector

• check_package

  Hextrap MCP

  Check if a package is allowed by a hextrap firewall and verify it is not a suspected typosquat. Call this BEFORE suggesting any npm, PyPI, or Go dependency to ensure it meets security policy.

  Connector

• assess_message

  Agent Safe Email MCP

  FREE triage tool — send whatever context you have (message content, sender info, URLs, attachments, draft replies, thread messages, image/video URLs) and get back a prioritized list of which security tools to run. No AI call, no charge, instant response. Always call this first to get the best security coverage.

  Connector

• changelog-generate

  The Stall

  Converts commit messages to a keep-a-changelog release block. Groups feat/fix/perf/docs/security commits into Added/Fixed/Changed/Security sections. Returns versioned markdown or structured JSON. No API key — pure transform.

  Connector

• cookie_security_audit

  IA-QA — 130+ QA & Dev Tools for AI Agents

  Audit the security attributes of cookies set by any URL. Fetches the URL and inspects all Set-Cookie headers for: HttpOnly, Secure, SameSite, Domain scope, Path scope, Max-Age/Expires, __Host-/__Secure- prefixes. Flags insecure patterns: missing HttpOnly on session cookies, missing Secure flag, SameSite=None without Secure, overly broad Domain, and excessive TTL. Returns per-cookie grades and an overall security score (0–100).

  Connector

• treasury_get_interest_rates

  treasury-fiscaldata-mcp-server

  Average interest rates Treasury pays on its outstanding securities by security type. Answers "what is the government's cost of borrowing?" Covers Bills, Notes, Bonds, TIPS, Floating Rate Notes, and aggregate marketable/non-marketable totals. Updated monthly (end-of-month records). Mode "latest" returns the most recent month's rates for all or one security type; "series" returns a time history. As of 2026-04-30: Bills 3.696%, Notes 3.230%, Bonds 3.403%, TIPS 1.068%, FRN 3.764%, Total Interest-bearing Debt 3.340%.

  Connector

• url_scanner_async_scan_with_intent

  PreClick — An MCP-native URL preflight scanning service for autonomous agents (formerly URLCheck).

  Submit a URL with optional user intent for asynchronous security analysis. Returns immediately with a task_id. Poll with url_scanner_async_task_status to check progress, then url_scanner_async_task_result to get the scan result. Async counterpart of url_scanner_scan_with_intent for clients without native MCP Tasks support.

  Connector

• get_testing_guidelines

  IA-QA — 130+ QA & Dev Tools for AI Agents

  Query the IA-QA methodology knowledge base. Returns structured testing guidelines, assertion strategies, thresholds, best practices, and relevant MCP tools for a given topic. Call without a topic to list all available topics. Topics: llm-unit-testing, rag-pipeline, prompt-stability, prompt-ab-testing, embedding-quality, eval-framework, semantic-testing, auto-testing, security, api-testing, ci-cd, multimodal, llm-data-security, agent-observability, pro-tips, learning-paths, golden-dataset.

  Connector

• url_scanner_async_scan

  PreClick — An MCP-native URL preflight scanning service for autonomous agents (formerly URLCheck).

  Submit a URL for asynchronous security analysis. Returns immediately with a task_id. Poll with url_scanner_async_task_status to check progress, then url_scanner_async_task_result to get the scan result. Async counterpart of url_scanner_scan for clients without native MCP Tasks support.

  Connector

• web_security_audit

  IA-QA — 130+ QA & Dev Tools for AI Agents

  Run a comprehensive web security audit combining headers, SSL, CORS, and cookies checks — then use an LLM to produce a prioritised remediation plan. Orchestrates security_headers_check + ssl_certificate_check + cors_test + cookie_security_audit in parallel, merges all findings, then asks an AI model to: (1) rank vulnerabilities by real-world exploitability, (2) generate a remediation roadmap, (3) produce fix code snippets for the detected stack. Returns both raw audit data and the AI analysis. Use this as a one-click security posture assessment.

  Connector

• generate_sra

  HIPAA Agent

  Initiate a HIPAA Security Risk Assessment. Returns the first batch of questions for the respondent to answer. Requires active subscription or platform/MSP key. Cost: 500 credits.

  Connector