npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@vettiq/mcp-server

v1.2.0

Published

VettIQ MCP server — security scanning for AI-generated code, callable from Cursor, Claude Code, and any MCP-compatible agent.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lumeniqlumeniq

Keywords

mcpsecurityvettiqcode-securityai-securityvulnerability-scannermcp-server

Readme

@vettiq/mcp-server

VettIQ MCP Server brings AI code security scanning directly into your coding environment. 12 tools let you scan code through VettIQ's 6-stage multi-LLM pipeline, vet ClawHub skills before installing, check MCP server trust scores, drive the automated fix pipeline, search live threat intelligence, and monitor your security posture — all without leaving Claude Code, Cursor, or Windsurf.

Prerequisites

  • Node.js 18+
  • VettIQ API key (get free at app.vettiq.ai → Settings → API Keys)
  • Free plan works — 1 scan/month included

Quick Start — Claude Code

npm install -g @vettiq/mcp-server

Add to ~/.claude/mcp.json:

{
  "mcpServers": {
    "vettiq": {
      "command": "vettiq-mcp",
      "env": {
        "VETTIQ_API_KEY": "your_api_key_here"
      }
    }
  }
}

Restart Claude Code. Test: "Scan this file with VettIQ" then paste any code.

Quick Start — Cursor

Add to .cursor/mcp.json at your project root:

{
  "mcpServers": {
    "vettiq": {
      "command": "vettiq-mcp",
      "env": {
        "VETTIQ_API_KEY": "your_key_here"
      }
    }
  }
}

Quick Start — HTTP Transport

VETTIQ_API_KEY=your_key VETTIQ_MCP_TRANSPORT=http node dist/index.js

MCP endpoint: http://localhost:3100/sse Health check: http://localhost:3100/health

Quick Start — Docker

docker build -t vettiq-mcp .
docker run -e VETTIQ_API_KEY=your_key -p 3100:3100 vettiq-mcp

Available Tools (12)

| Tool | What it does | When to use | |------|-------------|-------------| | scan_code | Submit code for 6-stage security scan | Before committing any AI-generated code | | get_scan_status | Poll scan progress | After scan_code | | get_scan_results | Get findings and verified fixes | When scan is complete | | check_mcp_server | Look up MCP server trust score | Before installing any MCP server | | search_threat_intel | Search live CVE/threat database | Researching a vulnerability | | get_security_score | Get repo Security Health Score | Monitoring security posture | | list_open_findings | List all unresolved findings | Security review / sprint planning | | scan_clawhub_skill | Scan a ClawHub skill for malware and guidance injection | Before installing any ClawHub skill | | get_clawhub_skill_report | Retrieve a completed ClawHub scan report | Reviewing a previous skill scan | | check_clawhub_blocklist | Instant check against VettIQ's malicious-skill blocklist | Fast pre-install gate (<100ms) | | get_fix_job_status | Poll an async fix generation job | After calling generate_fix | | get_fix_results | Retrieve completed fix diffs and PR links | When fix job is complete |

ClawHub Skill Security

Three tools cover the full lifecycle of vetting ClawHub MCP skills before they land in an agent:

  • scan_clawhub_skill — runs VettIQ's skill-adapted pipeline against a ClawHub slug. Detects AMOS/ClickFix malware delivery, guidance injection (persistent behavioral modification), N-run delay evasion, credential harvesting, and silent exfiltration. Returns a 0–100 risk score, severity rating, and preview findings. The authenticated version runs the full 6-stage pipeline; without an API key, runs Stage 0+1 only.
  • check_clawhub_blocklist — sub-100ms lookup against VettIQ's blocklist of confirmed malicious skills (e.g. the ClawHavoc campaign). Use as a fast gate before running a full scan.
  • get_clawhub_skill_report — retrieve a previously completed scan by slug/scan ID (badge status, risk score, last-scanned timestamp).

Fix Job Management

VettIQ's automated fix pipeline is asynchronous. After calling generate_fix in the web app or API, use these two tools to drive the job:

  • get_fix_job_status — poll the job status (pending → processing → completed/failed). Surfaces per-file progress, credit usage, and next-step guidance.
  • get_fix_results — once the job is complete, returns per-file diffs, confidence scores, explanations, and the PR link (when a GitHub PR was opened).

This replaces the earlier SSE-based flow with a simple polling pattern that works across any MCP client.

Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | VETTIQ_API_KEY | (required) | Your VettIQ API key | | VETTIQ_API_BASE_URL | https://api.vettiq.ai | API base URL | | VETTIQ_MCP_TRANSPORT | stdio | Transport: stdio or http | | VETTIQ_MCP_PORT | 3100 | HTTP port (http transport only) | | VETTIQ_MCP_DEBUG | false | Enable debug logging to stderr | | VETTIQ_REQUEST_TIMEOUT_MS | 30000 | API request timeout (ms) | | VETTIQ_RETRY_ATTEMPTS | 3 | Max retry attempts for 429/5xx |

Example Prompts

  • "Scan this Supabase integration for security issues" [paste code]
  • "Check if github.com/owner/some-mcp-server is safe to install"
  • "Is the ClawHub skill productivity/task-manager on the blocklist?"
  • "Scan the ClawHub skill productivity/task-manager before I install it"
  • "What critical vulnerabilities is VettIQ tracking this week?"
  • "What's my security score for myorg/my-app?"
  • "List all open critical findings across my repositories"
  • "Scan my auth handler and apply the fixes"
  • "Poll fix job fix_abc123 until it's done and show me the diffs"

Troubleshooting

API key not working Generate a new key at app.vettiq.ai → Settings → API Keys. The free tier includes 1 scan/month.

Server not appearing in Claude Code Check that ~/.claude/mcp.json is valid JSON and the path to vettiq-mcp is correct. Restart Claude Code after any changes.

Scan taking too long The 6-stage pipeline (Semgrep → Gemini → GPT-5.4 mini → Gemini → Claude Sonnet 4.6 → Gemini verification) typically completes in 60–90 seconds. Use get_scan_status to check progress.

Rate limit errors Free plan: 1 scan/month. Pro ($49/mo): unlimited scans. Upgrade at app.vettiq.ai/pricing.

Development

npm install
npm run build
npm test
npm run typecheck

License

Proprietary — LumenIQ, Inc.