npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ctscout-mcp-server

v0.2.5

Published

MCP server for ctscout.dev — domain attribution via Certificate Transparency + multi-signal Pro enrichment

Readme

ctscout-mcp-server

MCP server for ctscout.devnamed-entity attribution from Certificate Transparency logs (OV/EV only), with optional multi-signal corroboration on Pro. For mapping legal-entity digital footprints, sibling-domain discovery, and SAN-cohort analysis from LLM-driven workflows.

DV-only infrastructure (Let's Encrypt, ZeroSSL, cloud-native shops) is invisible to ctscout by design. See LIMITATIONS.md for what that means in practice.

Two tools:

  • ctscout_search_company — find apex domains attributed to an organization by name
  • ctscout_lookup_domain — reverse-lookup the organization attributed to one or more domains

Both work over the public ctscout.dev /scan API. Free tier requires an API key (no email, no signup). Pro tier returns a confidence_band per attribution plus the underlying signal evidence (DNS brand tokens, og:site_name match, RDAP, IP/ASN, VLM verdict).

Not a cyber-risk-scoring tool. See LIMITATIONS.md for what ctscout is and isn't, the DV-cert coverage gap, and the corrections path.

What's new in 0.2.2

  • Hosted MCP endpoint at https://ctscout.dev/mcp (Streamable HTTP) and https://ctscout.dev/sse (legacy SSE) — same two tools, zero local install. Auth via X-API-Key header (or Authorization: Bearer …).
  • README restructured to lead with the hosted path; the local-npm install is now a fallback for restricted networks.

What's new in 0.2.0

  • Pro-tier response surfacing: confidence_band, evidence, matched_via, signal_health, vlm_status, vlm_override rendered in the markdown table when present.
  • VLM-veto indicator (🚫VLM-veto) when a visual verdict overrode positive-signal accumulation.
  • Backward-compatible: Free-tier responses render exactly as in v0.1.0; the new fields are additive.
  • Tool descriptions updated: "attributed to" rather than "owns" (lawful, defensible language for attribution claims).
  • Test suite added (Vitest). 20 tests covering both response shapes, truncation, error paths.

Install

For Claude Code, Claude Desktop, Cursor, or any other MCP client. Two ways to connect: hosted (recommended, no install) or local npm (this package).

1. Get a free API key

Visit ctscout.dev and click "Get a free API key". Solve the Turnstile captcha. Copy the key (you can't recover it later — save it now).

2a. Hosted endpoint (recommended — zero install)

The same tools are hosted at https://ctscout.dev/mcp. Nothing to install — just point your MCP client at the URL with your API key as the X-API-Key header.

Claude Code (CLI):

claude mcp add ctscout \
  -s user \
  --transport http \
  --header "X-API-Key: YOUR_KEY_HERE" \
  https://ctscout.dev/mcp

This writes to ~/.claude.json.

Claude Desktop / Cursor / Cline / any HTTP-transport MCP client — edit the client config:

{
  "mcpServers": {
    "ctscout": {
      "type": "http",
      "url": "https://ctscout.dev/mcp",
      "headers": { "X-API-Key": "YOUR_KEY_HERE" }
    }
  }
}

Config file locations:

  • Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json (Mac), %APPDATA%\Claude\claude_desktop_config.json (Windows). HTTP-transport MCP support requires a recent Desktop build; if your client doesn't recognize "type": "http", use the local npm fallback below.
  • Cursor: ~/.cursor/mcp.json. If Cursor's HTTP transport doesn't connect, swap the url to https://ctscout.dev/sse — the same tools are served over the legacy SSE transport.

After adding, fully quit and restart your MCP client (not just close the window). The tools will appear under "ctscout".

2b. Local npm (fallback — if you can't use the hosted endpoint)

If you're behind a network policy that blocks ctscout.dev, prefer running the published Node binary locally:

claude mcp add ctscout \
  -s user \
  -e CTSCOUT_API_KEY=YOUR_KEY_HERE \
  -- npx -y ctscout-mcp-server

Or in JSON config:

{
  "mcpServers": {
    "ctscout": {
      "command": "npx",
      "args": ["-y", "ctscout-mcp-server"],
      "env": { "CTSCOUT_API_KEY": "YOUR_KEY_HERE" }
    }
  }
}

The two paths talk to the same /scan API on the backend — feature-parity is automatic. The hosted endpoint just skips the Node install.

3. Use it

In Claude Code or Claude Desktop, just ask the model:

"Find all domains attributed to Cloudflare"

"Who is gs.com attributed to? What about goldmansachs.com — same parent?"

"Given an OV/EV-cert domain, pivot from its cert subject and surface sibling apex domains attributed to the same legal entity."

"List the domains attributed to The Hartford."

The model will pick the right ctscout tool, call it, and summarize.


Free tier vs Pro tier

| | Free | Pro | |---|---|---| | Queries per day | 10 | unlimited | | Results per query | top 5 | full set | | Data freshness | weekly snapshot | live (DNS, RDAP, homepage, IP/ASN, VLM) | | Per-attribution evidence | — | confidence_band + named signals | | Price | $0 | concierge — email for early access |

The MCP server uses the same API key for both — your tier is determined by the key. If you hit the daily quota, the tool returns a 429 error with an upgrade hint.

Pro is currently concierge-only (manual key mint + invoice) while usage data justifies whether automated commerce is worth building. Email [email protected] if you want a Pro key.

What the Pro response looks like

Free tier returns the legacy (domain, organization, certs, subdomains) table. Pro tier replaces it with a richer attribution table you can defend in a meeting:

| Domain          | Attributed to  | Band         | Signals                                         | Evidence                                                  |
|---|---|---|---|---|
| coalition.com   | Coalition Inc  | ✅ verified  | dns_txt_brand_token, og_site_name_match, +1     | verified via google-site-verification, atlassian-domain... |
| imposter.com    | Coalition Inc  | ⚪ insufficient 🚫VLM-veto | dns_txt_brand_token, vlm_verdict_no | Logo on screenshot is a different brand                   |

Bands map to confidence intervals (verified ≥ multiple strong independent signals, down to insufficient = no signals or signals disagree). The 🚫VLM-veto tag appears when visual brand verification overrode the positive-signal accumulation. Full structured payload is available via response_format: "json".


What this is, and isn't

ctscout is a digital entity resolution tool — it maps apex domains to organizations attributed in their Certificate Transparency records, optionally corroborated by DNS / RDAP / IP/ASN / favicon / visual brand verification on the Pro tier.

It is NOT a cyber-risk quantification platform. It does not score security posture, predict breaches, or produce risk ratings. See LIMITATIONS.md for the full disclaimer, coverage gaps, and corrections path.

Coverage at a glance

ctscout's warehouse is built from OV/EV certificates only — the ones where the issuing CA validated the org's legal identity. DV-only infrastructure (Let's Encrypt, ZeroSSL, ACME-defaulting cloud hosts) is invisible to the warehouse.

The warehouse is strongest on: established US/EU enterprise, government, financial services, traditional infrastructure, defense, education.

The warehouse is weak on: modern cloud-native shops (most domains entirely behind Cloudflare/Vercel/Netlify), pre-launch / stealth-mode startups, anything that defaults to DV certs.

When ctscout_lookup_domain returns 0 results, the apex isn't in the warehouse — not necessarily that nobody owns it. See LIMITATIONS.md for the full coverage discussion and ~5,976-org / 329K-pair scale stats.


Local development

git clone https://github.com/minghsuy/ctscout-mcp.git
cd ctscout-mcp
npm install
npm run build

# Run the test suite (Vitest, no network)
npm test

# Run the server (will fail without CTSCOUT_API_KEY)
node dist/index.js

# With a real key
CTSCOUT_API_KEY=your_key node dist/index.js

# Inspect with the official MCP inspector (browser UI)
npm run inspect

Test the protocol handshake without a real key

echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}},"id":1}' | \
  CTSCOUT_API_KEY=fake node dist/index.js

Should respond with the server's capabilities + tool registration. (Tool calls themselves require a real key.)


How it relates to ctscout.dev

This MCP server is a thin client over the public ctscout.dev /scan API. It does no auth-handling magic, no caching, no extra logic — just translates MCP tool calls into HTTP requests and formats the response for an LLM consumer.

If you're building your own integration in Python or another language, you can hit the same /scan endpoint directly. See ctscout.dev for curl examples.


License

MIT. See LICENSE.

The underlying ctscout service uses domain-scout (also MIT) for cert log analysis.