npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@wphealthkit/mcp-server

v0.5.6

Published

MCP server for WP HealthKit — audit WordPress plugins and access developer reference guides from any AI tool

Readme

@wphealthkit/mcp-server v0.4.0

An MCP (Model Context Protocol) server that gives AI assistants direct access to WP HealthKit's plugin audit API. Once configured, tools like Claude Desktop, Claude Code, and Cursor can trigger security audits, retrieve findings, fetch AI-ready fix prompts, bulk-audit entire plugin directories, and flag false positives — all without leaving the chat interface.

Setup

Required environment variable

WPHK_API_KEY=your_api_key_here

Get your API key from wphealthkit.com/dashboard.

Claude Desktop

Add the following to your claude_desktop_config.json (usually at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "wphealthkit": {
      "command": "npx",
      "args": ["-y", "@wphealthkit/mcp-server"],
      "env": {
        "WPHK_API_KEY": "your_api_key_here"
      }
    }
  }
}

Claude Code

Add to your project's .mcp.json:

{
  "mcpServers": {
    "wphealthkit": {
      "command": "npx",
      "args": ["-y", "@wphealthkit/mcp-server"],
      "env": {
        "WPHK_API_KEY": "your_api_key_here"
      }
    }
  }
}

Cursor

Open Cursor Settings > MCP > Add Server and use:

{
  "wphealthkit": {
    "command": "npx",
    "args": ["-y", "@wphealthkit/mcp-server"],
    "env": {
      "WPHK_API_KEY": "your_api_key_here"
    }
  }
}

Available tools

| Tool | Description | |---|---| | audit_plugin | Trigger a security audit for a wp.org plugin by slug. Returns an audit ID. | | audit_plugin_zip | Trigger an audit from a local ZIP file. Returns an audit ID. | | audit_plugins_bulk | Audit all plugin ZIP files in a local directory. Submits in batches of 10, streams results as each completes, and prints a final summary with risk breakdown and links to top findings. | | get_report | Poll the status and full results of an audit by its ID. | | get_findings | Get paginated findings, with optional filters for severity and category. | | get_fix_prompt | Get AI-ready fix prompts for an audit's findings, batched by severity. | | check_plugin | Look up a plugin's security grade, risk level, and findings count from the directory. | | list_usage | Check your current usage — audits used this month, tier, and limits. | | flag_finding | Flag a finding as a false positive. The report goes to the WP HealthKit team for review; confirmed patterns result in a scanner rule update that prevents that pattern in all future audits. |


Tool reference

audit_plugin

Triggers a security audit for any plugin hosted on wp.org.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | slug | string | Yes | The wp.org plugin slug (e.g. "contact-form-7"). | | engines | string[] | No | Audit engines to run. Defaults to all engines. |

Example

audit_plugin({ slug: "contact-form-7" })
// Returns: { auditId: "abc-123", status: "queued" }

audit_plugin_zip

Triggers an audit from a local ZIP file. Useful for plugins not on wp.org or pre-release builds.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | path | string | Yes | Absolute path to the ZIP file on disk. | | engines | string[] | No | Audit engines to run. Defaults to all engines. |

Example

audit_plugin_zip({ path: "/Users/me/plugins/my-plugin.zip" })
// Returns: { auditId: "def-456", status: "queued" }

audit_plugins_bulk

Audits all plugin ZIP files in a local directory. Submissions are batched in groups of 10. Results stream as each audit completes, and a final summary table is printed with a risk breakdown and links to top findings.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | directory | string | Yes | Absolute path to the directory containing plugin ZIPs. | | engines | string[] | No | Audit engines to run (e.g. ["performance"]). Defaults to all engines. | | pattern | string | No | Glob pattern to match files. Defaults to "*.zip". |

Example

audit_plugins_bulk({ directory: "/Users/me/plugins", engines: [] })

Output

Results stream to the conversation as each plugin completes. Once all audits finish, the tool prints a summary table:

Plugin                  Risk      Findings   Report
----------------------  --------  ---------  ----------------------------------------
my-plugin.zip           CRITICAL  14         https://wphealthkit.com/report/abc-123
another-plugin.zip      LOW       2          https://wphealthkit.com/report/def-456
legacy-plugin.zip       HIGH      7          https://wphealthkit.com/report/ghi-789

Summary: 3 plugins audited — 1 CRITICAL, 1 HIGH, 0 MEDIUM, 1 LOW

get_report

Polls the status and full results of an audit. Call this after audit_plugin or audit_plugin_zip to wait for completion and retrieve the report.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | auditId | string | Yes | The audit ID returned by audit_plugin or audit_plugin_zip. |

Example

get_report({ auditId: "abc-123" })
// Returns: { status: "completed", grade: "C", riskLevel: "HIGH", findingsCount: 7, reportUrl: "..." }

get_findings

Returns paginated findings for a completed audit. Supports filtering by severity and category.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | auditId | string | Yes | The audit ID. | | severity | string | No | Filter by severity: "CRITICAL", "HIGH", "MEDIUM", or "LOW". | | category | string | No | Filter by category (e.g. "xss", "csrf", "performance"). | | page | number | No | Page number for pagination. Defaults to 1. |

Example

get_findings({ auditId: "abc-123", severity: "CRITICAL" })

get_fix_prompt

Returns AI-ready fix prompts for an audit's findings, grouped and batched by severity. Pass the output directly to a coding assistant to generate patches.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | auditId | string | Yes | The audit ID. | | severity | string | No | Limit prompts to a specific severity level. |

Example

get_fix_prompt({ auditId: "abc-123", severity: "HIGH" })

check_plugin

Looks up a plugin's current security grade, risk level, and findings count from the WP HealthKit directory without triggering a new audit.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | slug | string | Yes | The wp.org plugin slug. |

Example

check_plugin({ slug: "woocommerce" })
// Returns: { grade: "B", riskLevel: "MEDIUM", findingsCount: 3, lastAudited: "2026-04-20" }

list_usage

Returns your current billing period usage — audits consumed, tier, and remaining quota.

Parameters

None.

Example

list_usage()
// Returns: { auditsUsed: 47, auditsLimit: 100, tier: "pro", resetsAt: "2026-05-01" }

flag_finding

Flags a finding as a false positive. The report is reviewed by the WP HealthKit team. If the pattern is confirmed as a false positive, the scanner rule is updated to prevent the same result from appearing in all future audits.

Parameters

| Parameter | Type | Required | Description | |---|---|---|---| | auditId | string | Yes | UUID of the audit containing the finding. | | findingId | string | Yes | ID of the finding to flag (e.g. "finding-12"). | | findingTitle | string | Yes | Title of the finding as shown in the report. | | reason | string | No | Explanation of why this is a false positive. |

Example

flag_finding({
  auditId: "abc-123-def-456",
  findingId: "finding-5",
  findingTitle: "Named arguments used in internal function call",
  reason: "These are positional args — the scanner is misidentifying the call signature"
})
// Returns: { flagged: true, reviewTicket: "FP-2891" }

Usage flows

Audit a single plugin and get fix prompts

audit_plugin({ slug: "my-plugin" })
  → get_report({ auditId: "..." })          // poll until status === "completed"
  → get_findings({ auditId: "...", severity: "CRITICAL" })
  → get_fix_prompt({ auditId: "..." })

Audit all plugins in a local directory

audit_plugins_bulk({ directory: "/Users/me/plugins" })
  // streams per-plugin results as they complete
  // prints final summary table with risk breakdown

Check a plugin before installing

check_plugin({ slug: "advanced-custom-fields" })
  // returns grade, risk level, and findings count without consuming an audit credit

Flag a false positive after reviewing findings

get_findings({ auditId: "...", severity: "HIGH" })
  → flag_finding({
      auditId: "...",
      findingId: "finding-12",
      findingTitle: "Unescaped output in template",
      reason: "Output is escaped upstream via wp_kses before reaching this call"
    })

Environment variables

| Variable | Default | Description | |---|---|---| | WPHK_API_KEY | — | Required. Your WP HealthKit API key. | | WPHK_API_URL | https://wphealthkit.com/api/v1 | Override to point at a self-hosted or staging instance. |


License

MIT