@wphealthkit/mcp-server
v0.5.6
Published
MCP server for WP HealthKit — audit WordPress plugins and access developer reference guides from any AI tool
Readme
@wphealthkit/mcp-server v0.4.0
An MCP (Model Context Protocol) server that gives AI assistants direct access to WP HealthKit's plugin audit API. Once configured, tools like Claude Desktop, Claude Code, and Cursor can trigger security audits, retrieve findings, fetch AI-ready fix prompts, bulk-audit entire plugin directories, and flag false positives — all without leaving the chat interface.
Setup
Required environment variable
WPHK_API_KEY=your_api_key_hereGet your API key from wphealthkit.com/dashboard.
Claude Desktop
Add the following to your claude_desktop_config.json (usually at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"wphealthkit": {
"command": "npx",
"args": ["-y", "@wphealthkit/mcp-server"],
"env": {
"WPHK_API_KEY": "your_api_key_here"
}
}
}
}Claude Code
Add to your project's .mcp.json:
{
"mcpServers": {
"wphealthkit": {
"command": "npx",
"args": ["-y", "@wphealthkit/mcp-server"],
"env": {
"WPHK_API_KEY": "your_api_key_here"
}
}
}
}Cursor
Open Cursor Settings > MCP > Add Server and use:
{
"wphealthkit": {
"command": "npx",
"args": ["-y", "@wphealthkit/mcp-server"],
"env": {
"WPHK_API_KEY": "your_api_key_here"
}
}
}Available tools
| Tool | Description |
|---|---|
| audit_plugin | Trigger a security audit for a wp.org plugin by slug. Returns an audit ID. |
| audit_plugin_zip | Trigger an audit from a local ZIP file. Returns an audit ID. |
| audit_plugins_bulk | Audit all plugin ZIP files in a local directory. Submits in batches of 10, streams results as each completes, and prints a final summary with risk breakdown and links to top findings. |
| get_report | Poll the status and full results of an audit by its ID. |
| get_findings | Get paginated findings, with optional filters for severity and category. |
| get_fix_prompt | Get AI-ready fix prompts for an audit's findings, batched by severity. |
| check_plugin | Look up a plugin's security grade, risk level, and findings count from the directory. |
| list_usage | Check your current usage — audits used this month, tier, and limits. |
| flag_finding | Flag a finding as a false positive. The report goes to the WP HealthKit team for review; confirmed patterns result in a scanner rule update that prevents that pattern in all future audits. |
Tool reference
audit_plugin
Triggers a security audit for any plugin hosted on wp.org.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| slug | string | Yes | The wp.org plugin slug (e.g. "contact-form-7"). |
| engines | string[] | No | Audit engines to run. Defaults to all engines. |
Example
audit_plugin({ slug: "contact-form-7" })
// Returns: { auditId: "abc-123", status: "queued" }audit_plugin_zip
Triggers an audit from a local ZIP file. Useful for plugins not on wp.org or pre-release builds.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| path | string | Yes | Absolute path to the ZIP file on disk. |
| engines | string[] | No | Audit engines to run. Defaults to all engines. |
Example
audit_plugin_zip({ path: "/Users/me/plugins/my-plugin.zip" })
// Returns: { auditId: "def-456", status: "queued" }audit_plugins_bulk
Audits all plugin ZIP files in a local directory. Submissions are batched in groups of 10. Results stream as each audit completes, and a final summary table is printed with a risk breakdown and links to top findings.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| directory | string | Yes | Absolute path to the directory containing plugin ZIPs. |
| engines | string[] | No | Audit engines to run (e.g. ["performance"]). Defaults to all engines. |
| pattern | string | No | Glob pattern to match files. Defaults to "*.zip". |
Example
audit_plugins_bulk({ directory: "/Users/me/plugins", engines: [] })Output
Results stream to the conversation as each plugin completes. Once all audits finish, the tool prints a summary table:
Plugin Risk Findings Report
---------------------- -------- --------- ----------------------------------------
my-plugin.zip CRITICAL 14 https://wphealthkit.com/report/abc-123
another-plugin.zip LOW 2 https://wphealthkit.com/report/def-456
legacy-plugin.zip HIGH 7 https://wphealthkit.com/report/ghi-789
Summary: 3 plugins audited — 1 CRITICAL, 1 HIGH, 0 MEDIUM, 1 LOWget_report
Polls the status and full results of an audit. Call this after audit_plugin or audit_plugin_zip to wait for completion and retrieve the report.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| auditId | string | Yes | The audit ID returned by audit_plugin or audit_plugin_zip. |
Example
get_report({ auditId: "abc-123" })
// Returns: { status: "completed", grade: "C", riskLevel: "HIGH", findingsCount: 7, reportUrl: "..." }get_findings
Returns paginated findings for a completed audit. Supports filtering by severity and category.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| auditId | string | Yes | The audit ID. |
| severity | string | No | Filter by severity: "CRITICAL", "HIGH", "MEDIUM", or "LOW". |
| category | string | No | Filter by category (e.g. "xss", "csrf", "performance"). |
| page | number | No | Page number for pagination. Defaults to 1. |
Example
get_findings({ auditId: "abc-123", severity: "CRITICAL" })get_fix_prompt
Returns AI-ready fix prompts for an audit's findings, grouped and batched by severity. Pass the output directly to a coding assistant to generate patches.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| auditId | string | Yes | The audit ID. |
| severity | string | No | Limit prompts to a specific severity level. |
Example
get_fix_prompt({ auditId: "abc-123", severity: "HIGH" })check_plugin
Looks up a plugin's current security grade, risk level, and findings count from the WP HealthKit directory without triggering a new audit.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| slug | string | Yes | The wp.org plugin slug. |
Example
check_plugin({ slug: "woocommerce" })
// Returns: { grade: "B", riskLevel: "MEDIUM", findingsCount: 3, lastAudited: "2026-04-20" }list_usage
Returns your current billing period usage — audits consumed, tier, and remaining quota.
Parameters
None.
Example
list_usage()
// Returns: { auditsUsed: 47, auditsLimit: 100, tier: "pro", resetsAt: "2026-05-01" }flag_finding
Flags a finding as a false positive. The report is reviewed by the WP HealthKit team. If the pattern is confirmed as a false positive, the scanner rule is updated to prevent the same result from appearing in all future audits.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| auditId | string | Yes | UUID of the audit containing the finding. |
| findingId | string | Yes | ID of the finding to flag (e.g. "finding-12"). |
| findingTitle | string | Yes | Title of the finding as shown in the report. |
| reason | string | No | Explanation of why this is a false positive. |
Example
flag_finding({
auditId: "abc-123-def-456",
findingId: "finding-5",
findingTitle: "Named arguments used in internal function call",
reason: "These are positional args — the scanner is misidentifying the call signature"
})
// Returns: { flagged: true, reviewTicket: "FP-2891" }Usage flows
Audit a single plugin and get fix prompts
audit_plugin({ slug: "my-plugin" })
→ get_report({ auditId: "..." }) // poll until status === "completed"
→ get_findings({ auditId: "...", severity: "CRITICAL" })
→ get_fix_prompt({ auditId: "..." })Audit all plugins in a local directory
audit_plugins_bulk({ directory: "/Users/me/plugins" })
// streams per-plugin results as they complete
// prints final summary table with risk breakdownCheck a plugin before installing
check_plugin({ slug: "advanced-custom-fields" })
// returns grade, risk level, and findings count without consuming an audit creditFlag a false positive after reviewing findings
get_findings({ auditId: "...", severity: "HIGH" })
→ flag_finding({
auditId: "...",
findingId: "finding-12",
findingTitle: "Unescaped output in template",
reason: "Output is escaped upstream via wp_kses before reaching this call"
})Environment variables
| Variable | Default | Description |
|---|---|---|
| WPHK_API_KEY | — | Required. Your WP HealthKit API key. |
| WPHK_API_URL | https://wphealthkit.com/api/v1 | Override to point at a self-hosted or staging instance. |
License
MIT
