npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@curatedmcp/auditor

v1.2.0

Published

Scan your machine for MCP servers and flag security risks

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

curatedmcpcuratedmcp

Keywords

mcpmcp-servermcp-securitysecuritysecurity-auditauditclaudeclaude-desktopcursorwindsurfmodel-context-protocolanthropicai-securitynpx

Readme

@curatedmcp/auditor

Scan your machine for MCP (Model Context Protocol) servers and flag security risks. Works with Claude Desktop, Cursor, Claude Code, and Windsurf.

npx @curatedmcp/auditor

No installation required. Runs entirely on your machine — nothing is sent to any server except a read-only catalog lookup to check which servers are verified.

Auditor Pro ($9/month) — automated weekly scan alerts, immediate email when a new HIGH-risk server appears, and full scan history at curatedmcp.com/dashboard/auditor.

What it does

Finds every MCP server configured on your machine, then reports:

  • HIGH / MEDIUM / LOW risk flags with explanations
  • Which servers are VERIFIED in the CuratedMCP catalog vs unknown
  • Credentials accidentally embedded in environment blocks
  • Filesystem access or keychain access granted to unverified tools

Example output:

MCP Security Audit — 2026-03-31

Found 4 config files. 12 servers detected.

HIGH RISK (2)
  ⚠ filesystem-mcp — UNVERIFIED, FILE_SYSTEM_ACCESS
    ~/.cursor/mcp.json — npx filesystem-mcp --allow-write /Users

  ⚠ unknown-tool — UNVERIFIED, CREDENTIAL_IN_ENV
    ~/Library/Application Support/Claude/claude_desktop_config.json

VERIFIED (8)
  ✓ stripe-mcp
  ✓ github-mcp
  ✓ notion-mcp
  ...

Learn more: curatedmcp.com/certified

Flags

| Flag | Meaning | |------|---------| | --json | Output raw JSON instead of formatted text | | --offline | Skip catalog lookup (catalog won't be checked for verification status) | | --key <cmcp_...> | Sync results to Auditor Pro — triggers email alert if new HIGH risks found |

Exit code is 1 if any HIGH-risk servers are found, 0 otherwise. Useful in CI.

Auditor Pro sync

Set your license key once and every scan syncs automatically:

# Add to ~/.zshrc or ~/.bashrc
export CURATEDMCP_KEY=cmcp_your_key_here

# Then just run as normal — results sync silently
npx @curatedmcp/auditor

Or pass it inline:

npx @curatedmcp/auditor --key cmcp_your_key_here

Get a key at curatedmcp.com/auditor#pro.

Risk levels

| Level | Triggers | |-------|----------| | HIGH | Unverified + has FILE_SYSTEM_ACCESS or KEYCHAIN_ACCESS, or has CREDENTIAL_IN_ENV | | MEDIUM | Unverified + has NETWORK_ACCESS | | LOW | Unverified, no specific risk flags | | VERIFIED | Found in the CuratedMCP verified catalog |

Risk flags

  • FILE_SYSTEM_ACCESS — command includes --allow-write, --allow-read, path args, or mentions filesystem
  • KEYCHAIN_ACCESS — command invokes keychain or macOS security binary
  • CREDENTIAL_IN_ENV — env block contains a key matching SECRET|TOKEN|PASSWORD|API_KEY|PRIVATE
  • NETWORK_ACCESS — command includes --host, --port, or mentions localhost/http
  • UNVERIFIED — not in the CuratedMCP verified server catalog

Config locations scanned

| Client | macOS | Windows | |--------|-------|---------| | Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json | %APPDATA%\Claude\claude_desktop_config.json | | Cursor | ~/.cursor/mcp.json | %APPDATA%\.cursor\mcp.json | | Claude Code | ~/.claude/mcp.json + .claude/mcp.json (project) | same | | Windsurf | ~/.codeium/windsurf/mcp_config.json | %APPDATA%\Windsurf\mcp_config.json |

Build

Prerequisites

  • Node.js 18+
  • npm 9+

Steps

# Clone
git clone https://github.com/oneprofile-dev/mcp-auditor
cd mcp-auditor

# Install dependencies (chalk only + TypeScript tooling)
npm install

# Compile TypeScript → dist/
npm run build

# Run locally
node dist/cli.js

# Or via ts-node during development
npm run dev

The build output is in dist/. The entry point is dist/cli.js.

Configure

The auditor fetches the verified server catalog from https://www.curatedmcp.com/api/catalog and caches it at ~/.curatedmcp/catalog.json for 24 hours. No API key required.

To skip the catalog lookup (e.g. in a restricted network):

npx @curatedmcp/auditor --offline

No environment variables are needed to run the free auditor. Set CURATEDMCP_KEY to enable Pro sync.

Deploy / Publish to npm

These steps are for maintainers publishing a new version.

One-time setup

# Log in to npm (needs publish rights to @curatedmcp org)
npm login

# Verify you're in the curatedmcp org
npm org ls curatedmcp

Publishing a new version

# 1. Bump version in package.json
npm version patch   # or minor / major

# 2. Build fresh
npm run build

# 3. Publish (public scoped package)
npm publish --access public

The package is published as @curatedmcp/auditor. After publishing, npx @curatedmcp/auditor will pick up the new version within a few minutes.

Verifying the publish

# Check latest version on npm
npm view @curatedmcp/auditor version

# Test via npx (clears local cache)
npx --yes @curatedmcp/auditor@latest

Development

# Run with ts-node (no build step needed)
npm run dev

# Run with JSON output
npm run dev -- --json

# Run offline (skip catalog fetch)
npm run dev -- --offline

Architecture

src/
  cli.ts        Entry point — argument parsing, orchestration, exit code
  scanner.ts    Platform-aware config file discovery (macOS + Windows)
  risk.ts       Heuristic risk scoring — returns RiskFlag[] per server
  catalog.ts    Fetches + caches verified list from curatedmcp.com/api/catalog
  report.ts     Chalk terminal output + --json mode
  types.ts      Shared types: RiskFlag, RiskLevel, MCPServerEntry, AuditReport

Dependencies: chalk only. Everything else uses Node.js built-ins (fs, os, path, https, crypto). This keeps npx cold-start fast.

License

MIT — see LICENSE.

Questions? curatedmcp.com/contact