PackageScanner MCP Integration Guide

Connect PackageScanner to MCP-compatible AI assistants for automated security analysis.

What is MCP?

Model Context Protocol (MCP) is an open standard that enables seamless integration between AI assistants and external tools. With MCP, you can:

  • Analyze npm packages directly from your AI assistant
  • Get real-time security reports without leaving your conversation
  • Automate security checks in your development workflow
Quick Start

Step 1: Get the MCP Endpoint

Our Remote MCP endpoint is available at:

https://www.package-scanner.dev/api/mcp

Step 2: Configure Your AI Assistant

Add the following configuration to your AI assistant's MCP settings:

{
  "mcp": {
    "npmPackageScanner": {
      "url": "https://www.package-scanner.dev/api/mcp",
    }
  }
}

Step 3: Start Using

Once configured, you can ask your AI assistant to analyze packages using natural language commands.

Available Tools

mcp.search_malware

Search the malware database by package name and optional version

mcp.search_malware({\n name: "left-pad",\n version: "1.3.0"\n})

mcp.package_metadata

Fetch npm registry metadata with freshness and license alerts

mcp.package_metadata({\n name: "lodash"\n})

mcp.analyze_package_json

Analyze dependencies in a package.json document for known malicious packages

mcp.analyze_package_json({\n packageJsonContent: "{ ... }"\n})

mcp.analyze_lockfile(β)

Inspect a lockfile (npm, pnpm, yarn, bun) for malicious dependencies (currently deprecated)

mcp.analyze_lockfile({\n manager: "npm",\n lockfileContent: "{ ... }"\n})

mcp.get_report

Retrieve a previously generated analysis result by its ID

mcp.get_report({\n analysisId: "analysis-123"\n})

mcp.version

Return the MCP service version and schema information

mcp.version()

mcp.health_check

Verify the MCP service is operational

mcp.health_check()
Examples

Cursor Configuration

For Cursor (or other MCP-enabled editors), add the following to your settings:

{
  "mcp": {
    "npmPackageScanner": {
      "url": "https://www.package-scanner.dev/api/mcp",
    }
  }
}

Usage Examples

Once configured, you can use commands like:

  • "Check if express@4.18.0 is safe"
  • "Analyze my package.json for malicious dependencies"
  • "Tell me the latest version of hono"
Security Notes
Important security considerations:
  • The MCP endpoint is read-only and cannot modify your system
  • All analysis is performed against our malicious package database, so it's not 100% accurate
  • No package code is executed during analysis through MCP
PackageScanner MCP integration guide | PackageScanner - Security Tool for Open Source Packages