npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@modular-intelligence/nuclei-scanner

v1.0.2

Published

MCP server wrapping nuclei for vulnerability scanning

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

modularintelligencemodularintelligence

Keywords

Readme

Nuclei Scanner MCP Server

A comprehensive vulnerability scanning service that integrates with Nuclei, a powerful open-source vulnerability scanner. This MCP (Model Context Protocol) server enables Claude to perform security assessments on web applications and services using templates for detecting CVEs, misconfigurations, and other security issues.

Overview

This server provides access to Nuclei's vulnerability scanning capabilities through a unified interface:

  • Nuclei Scanning - Execute vulnerability scans against target URLs with flexible filtering options
  • Template Management - List and search available vulnerability templates from Nuclei's repository
  • Template Validation - Validate custom Nuclei template files for correctness and syntax

Perfect for security research, penetration testing, vulnerability assessments, and continuous security scanning.

Tools

| Tool | Description | |------|-------------| | nuclei_scan | Execute vulnerability scan on a target URL with optional filtering | | nuclei_templates_list | List available vulnerability templates with filtering by category and severity | | nuclei_templates_search | Search templates by keyword (CVE ID, vulnerability name, etc.) | | nuclei_validate_template | Validate a custom Nuclei template file for syntax and structure |

Nuclei Scan

Execute a vulnerability scan on a target URL using Nuclei templates with optional filtering by severity, tags, and template category.

Input Parameters:

{
  target: string                    // Target URL (http:// or https:// only)
  severity?: string                 // Filter by severity: info, low, medium, high, critical
  tags?: string[]                   // Array of tags to filter templates
  template_category?: string        // Template category (e.g., 'cve', 'vulnerabilities')
  timeout?: number                  // Timeout in seconds (default: 600)
}

Example Request:

{
  "target": "https://example.com",
  "severity": "high",
  "tags": ["cve"],
  "timeout": 300
}

Example Output:

{
  "findings": [
    {
      "template_id": "http/cves/2024/CVE-2024-1234",
      "name": "CVE-2024-1234 Remote Code Execution",
      "severity": "critical",
      "type": "http",
      "host": "https://example.com",
      "matched_at": "https://example.com/vulnerable-endpoint",
      "extracted_results": [
        "PHP Version: 7.4.3"
      ],
      "description": "A remote code execution vulnerability in the vulnerable application",
      "reference": [
        "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
      ],
      "tags": ["rce", "owasp-top10"]
    },
    {
      "template_id": "http/vulnerabilities/exposed-admin-panel",
      "name": "Exposed Admin Panel",
      "severity": "high",
      "type": "http",
      "host": "https://example.com",
      "matched_at": "https://example.com/admin",
      "extracted_results": [],
      "description": "An unauthenticated admin panel was discovered",
      "reference": [],
      "tags": ["misconfig", "exposure"]
    }
  ],
  "count": 2
}

Nuclei Templates List

List all available Nuclei templates with optional filtering by category and severity level.

Input Parameters:

{
  category?: string  // Filter templates by category (e.g., 'cve', 'vulnerabilities')
  severity?: string  // Filter by severity: info, low, medium, high, critical
}

Example Request:

{
  "category": "cve",
  "severity": "critical"
}

Example Output:

{
  "templates": [
    {
      "id": "http/cves/2024/CVE-2024-1234",
      "name": "CVE-2024-1234",
      "severity": "critical",
      "tags": ["rce", "critical"]
    },
    {
      "id": "http/cves/2024/CVE-2024-5678",
      "name": "CVE-2024-5678",
      "severity": "critical",
      "tags": ["ssrf", "critical"]
    },
    {
      "id": "http/cves/2023/CVE-2023-9999",
      "name": "CVE-2023-9999",
      "severity": "critical",
      "tags": ["authentication-bypass"]
    }
  ],
  "count": 3
}

Nuclei Templates Search

Search for vulnerability templates by keyword, such as CVE ID or vulnerability name.

Input Parameters:

{
  keyword: string      // Keyword to search for in template names
  max_results?: number // Maximum number of results to return (default: 20)
}

Example Request:

{
  "keyword": "CVE-2024-1234",
  "max_results": 10
}

Example Output:

{
  "templates": [
    {
      "id": "http/cves/2024/CVE-2024-1234",
      "name": "CVE-2024-1234",
      "severity": "critical"
    }
  ],
  "count": 1,
  "keyword": "CVE-2024-1234"
}

Nuclei Validate Template

Validate a custom Nuclei template file to ensure it has correct syntax and structure.

Input Parameters:

{
  template_path: string  // Path to the template file to validate
}

Example Request:

{
  "template_path": "/path/to/custom-template.yaml"
}

Example Output:

{
  "valid": true,
  "template_path": "/path/to/custom-template.yaml",
  "message": "Template is valid"
}

Example Error Output:

{
  "valid": false,
  "template_path": "/path/to/custom-template.yaml",
  "errors": "template syntax error: invalid field name 'unknown_field' at line 5"
}

Configuration

Environment Variables

This server has optional environment variable support for API keys (for enhanced Nuclei functionality):

export NUCLEI_API_KEY="your-nuclei-api-key"

Prerequisites

  • Bun runtime (version 1.x or later) or Node.js 18+
  • Nuclei must be installed and available in your PATH

Installing Nuclei

Visit the official Nuclei installation guide: https://nuclei.projectdiscovery.io/

macOS (using Homebrew):

brew install nuclei

Linux (using apt, for Debian/Ubuntu):

sudo apt update && sudo apt install nuclei

Using Go:

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Docker:

docker pull projectdiscovery/nuclei:latest

Verify installation:

nuclei -version

Installation

Steps

  1. Clone or download this repository:
git clone <repo-url>
cd nuclei-scanner
  1. Install dependencies:
bun install
  1. Build the project:
bun run build
  1. (Optional) Set environment variables:
export NUCLEI_API_KEY="your-nuclei-api-key"
  1. Run the server:
bun run start

The server will start listening on stdio transport.

Usage

Running the Server

Start the server with Bun:

bun run src/index.ts

The server implements the Model Context Protocol (MCP) and communicates via stdio transport. It can be integrated with Claude or other MCP clients.

Claude Desktop Configuration

Add the server to your Claude Desktop configuration at ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "nuclei-scanner": {
      "command": "bun",
      "args": [
        "run",
        "/path/to/nuclei-scanner/src/index.ts"
      ],
      "env": {
        "NUCLEI_API_KEY": "your-nuclei-api-key"
      }
    }
  }
}

Claude Code MCP Settings

Configure the server in Claude Code's MCP settings (typically in .mcp.json or via settings UI):

{
  "servers": {
    "nuclei-scanner": {
      "transport": "stdio",
      "command": "bun",
      "args": ["run", "/path/to/nuclei-scanner/src/index.ts"],
      "env": {
        "NUCLEI_API_KEY": "your-nuclei-api-key"
      }
    }
  }
}

Example Usage in Claude

Once configured, you can use the tools directly in conversations with Claude:

Request: "Scan https://example.com for critical vulnerabilities"

Claude will call:

{
  "tool": "nuclei_scan",
  "input": {
    "target": "https://example.com",
    "severity": "critical"
  }
}

Request: "Search for CVE-2024-1234 templates in Nuclei"

Claude will call:

{
  "tool": "nuclei_templates_search",
  "input": {
    "keyword": "CVE-2024-1234",
    "max_results": 10
  }
}

Request: "List all high severity vulnerability templates"

Claude will call:

{
  "tool": "nuclei_templates_list",
  "input": {
    "severity": "high"
  }
}

Request: "Validate my custom template at /home/user/my-template.yaml"

Claude will call:

{
  "tool": "nuclei_validate_template",
  "input": {
    "template_path": "/home/user/my-template.yaml"
  }
}

Security

This server implements comprehensive security measures to prevent misuse and protect against scanning unauthorized targets:

Input Validation

Target URL Validation

  • Only HTTP and HTTPS protocols are allowed
  • Invalid URL formats are rejected
  • Non-web protocols (FTP, file, custom) are blocked
  • URLs are validated against Node.js URL parser

Severity Filter Validation

  • Accepts only valid severity levels: info, low, medium, high, critical
  • Invalid severity values are rejected by Zod schema

Template Category Validation

  • Validates template category names
  • Dangerous categories are explicitly blocked (see below)

What Gets Blocked

The server rejects:

  • Non-HTTP/HTTPS protocols
  • Private IP addresses and localhost (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 0.0.0.0/8)
  • Localhost variations (localhost, ::1)
  • Dangerous template categories: dos, fuzzing, headless
  • Invalid severity levels
  • Missing or malformed URL inputs

Dangerous Template Categories

The following template categories are blocked for security and ethical reasons:

  • dos - Denial of Service templates that could impact service availability
  • fuzzing - Fuzzing templates that could cause instability
  • headless - Headless browser templates that could consume excessive resources

Error Handling

  • Invalid inputs return descriptive error messages
  • Nuclei execution errors are caught and reported
  • Timeout errors are handled gracefully with a 600-second default timeout
  • Template validation errors are presented with details

License

ISC License - see LICENSE file for details