PackageScanner MCP Integration Guide

Connect PackageScanner to MCP-compatible AI agents for automated security analysis.

Remote MCP endpoint available at: https://www.package-scanner.dev/api/mcp

What is MCP?

Model Context Protocol (MCP) is an open standard that enables seamless integration between AI agents and external tools. With MCP, you can:

Analyze npm packages directly from your AI agent
Get real-time security reports without leaving your conversation
Automate security checks in your development workflow

Quick Start

Step 1: Get the MCP Endpoint

Our Remote MCP endpoint is available at:

https://www.package-scanner.dev/api/mcp

Step 2: Configure MCP

Add the following configuration to your AI agent's MCP settings:

{
  "mcp": {
    "npmPackageScanner": {
      "url": "https://www.package-scanner.dev/api/mcp"
    }
  }
}

Step 3: Start Using

Once configured, you can ask your AI agent to analyze packages using natural language commands.

Available Tools

mcp_search_malware

Search the malware database by package name and optional version

mcp_search_malware({\n name: "left-pad",\n version: "1.3.0"\n})

mcp_package_metadata

Fetch npm registry metadata with freshness and license alerts

mcp_package_metadata({\n name: "lodash"\n})

mcp_analyze_package_json

Analyze a package.json document for known malicious dependencies and OSV-reported vulnerabilities

mcp_analyze_package_json({\n packageJsonContent: "{ ... }"\n})

mcp_analyze_lockfile

Analyze a lockfile (npm, pnpm, yarn, bun) for malicious packages and OSV-reported vulnerabilities

mcp_analyze_lockfile({\n manager: "npm",\n lockfileContent: "{ ... }"\n})

mcp_get_report

Retrieve a previously generated analysis result by its ID

mcp_get_report({\n analysisId: "analysis-123"\n})

mcp_version

Return the MCP service version and schema information

mcp_version()

mcp_health_check

Verify the MCP service is operational

mcp_health_check()

Examples

Cursor Configuration

For Cursor (or other MCP-enabled editors), add the following to your settings:

{
  "mcp": {
    "npmPackageScanner": {
      "url": "https://www.package-scanner.dev/api/mcp"
    }
  }
}

Claude Code Setup

In Claude Code (CLI), adding a remote MCP server over HTTP is the recommended approach, matching the official documentation. Use any of the methods below. Claude Code MCP (official docs)

Method 1: Add with HTTP transport (recommended)

HTTP is the recommended transport for remote MCP servers. Run:

claude mcp add --transport http npmPackageScanner https://www.package-scanner.dev/api/mcp

Scope: default is local. Use --scope project for a team-shared .mcp.json at the project root, or --scope user for all projects on this machine.

Method 2: Add with add-json

Example when passing JSON configuration directly (type is http).

claude mcp add-json npmPackageScanner '{"type":"http","url":"https://www.package-scanner.dev/api/mcp"}'

Method 3: Edit configuration files manually

Add the following shape to mcpServers in ~/.claude.json (as written by claude mcp add) or to .mcp.json in your project:

{
  "mcpServers": {
    "npmPackageScanner": {
      "type": "http",
      "url": "https://www.package-scanner.dev/api/mcp"
    }
  }
}

Usage Examples

Once configured, you can use commands like:

"Check if express@4.18.0 is safe"
"Analyze my package.json for malicious dependencies"
"Tell me the latest version of hono"

Security Notes

Important security considerations:

The MCP endpoint is read-only and cannot modify your system
All analysis is performed against our malicious package database, so it's not 100% accurate
No package code is executed during analysis through MCP