CVE and supply chain checks for MCP clients. Covers infrastructure, PyPI, and npm packages.
MCPpedia last refreshed this data
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-attestd-io-attestd-mcp": {
"command": "<see-readme>",
"args": []
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response.
No automated test available for this server. Check the GitHub README for setup instructions.
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
No package registry to scan.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in devops
MCP server for using the GitLab API
Governed MCP workflows with policy validation, findings tracking, and review gates.
A Unified MCP Server Management App (MCP Manager).
MCP Server for kubernetes management commands
MCP Security Weekly
Get CVE alerts and security updates for io.github.attestd-io/attestd-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response.
Official Model Context Protocol (MCP) server for Attestd. Exposes CVE risk and supply-chain checks as tools for Claude Code, Claude Desktop, and any MCP-compatible client.
Get a free API key · Full docs
npx -y @attestd/mcp with no global install.check_package_vulnerability: wraps GET /v1/check using @attestd/sdk.check_batch_vulnerabilities: checks up to 100 packages in one call. Use for lockfile and manifest audits.list_covered_products: returns Attestd-covered products. With an API key, returns live data from GET /v1/products. Without a key, returns the static bundled infrastructure list.get_cve_details: returns CVSS, EPSS, KEV status, and affected products for a single CVE id.check_package_vulnerability, check_batch_vulnerabilities, get_cve_details, and live list_covered_products.Add to ~/.claude/mcp.json or project .mcp.json:
{
"mcpServers": {
"attestd": {
"command": "npx",
"args": ["-y", "@attestd/mcp"],
"env": {
"ATTESTD_API_KEY": "your-api-key-here"
}
}
}
}
Optional: override the API base URL (e.g. dev):
"env": {
"ATTESTD_API_KEY": "your-api-key-here",
"ATTESTD_BASE_URL": "https://dev.api.attestd.io"
}
check_package_vulnerability| Argument | Type | Description |
|---|---|---|
product | string | Product slug (nginx, postgresql, litellm, …) |
version | string | Exact version (1.20.0) |
Returns JSON with:
| Field | Meaning |
|---|---|
outsideCoverage | true if the product is not covered. Unknown risk, not safe. |
riskState | critical | high | elevated | low | none | null when outside coverage |
activelyExploited | CISA KEV signal |
remoteExploitable | true if any matching CVE is remotely exploitable |
authenticationRequired | true only when all matching CVEs require authentication |
patchAvailable / fixedVersion | Patch guidance |
confidence | Synthesis confidence 0.0–1.0 |
cveIds | CVE IDs contributing to the risk assessment |
typosquat | Package name integrity: typosquat or AI-hallucinated name (kind, resembles, likely_intended) |
message | Explanation when outsideCoverage is true |
supplyChainCompromised / supplyChainDescription | PyPI/npm supply-chain signal |
On invalid/missing API key or rate limit, returns isError: true with a JSON error string.
check_batch_vulnerabilities| Argument | Type | Description |
|---|---|---|
items | array | Array of { product, version } objects. Maximum 100 per call. Each item costs one API call. |
Quota is checked upfront. If the batch would exceed your monthly quota, a 429 is returned before any calls are billed.
Returns JSON with count and results. Supported items include the same fields as check_package_vulnerability minus typosquat. Outside-coverage items return only product, version, outsideCoverage: true, and riskState: null.
list_covered_productsNo arguments. With an API key, returns live JSON from GET /v1/products:
| Field | Meaning |
|---|