Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"taskbounty-check": {
"args": [
"-y",
"taskbounty-check@latest",
"mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A local check for GitHub Actions and CI maintenance hygiene (third-party action pinning, workflow token permissions, and update automation), built for apps shipped with Lovable, Bolt,
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'taskbounty-check' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked taskbounty-check against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools / security
Read, write, and manage files on the local filesystem
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Manage Supabase projects — databases, auth, storage, and edge functions
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
MCP Security Weekly
Get CVE alerts and security updates for io.github.eliottreich/taskbounty-check and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A local check for GitHub Actions and CI maintenance hygiene (third-party action pinning, workflow token permissions, and update automation), built for apps shipped with Lovable, Bolt, Replit, Cursor, or v0.
Local by default. No uploads. No telemetry. It reads only your workflow files, on your machine.
The default code path makes no outbound network requests, writes its report locally, and sends
nothing anywhere. There is no analytics or phone-home of any kind. Only the opt-in --gh-org mode
uses the network (through your own gh session).
Works with Cursor, Claude Code, and Codex (local MCP server, below).
1. GitHub Action — add a maintenance check to CI that writes a summary to the run (no PR comments, no source upload):
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- run: npx taskbounty-check@0.1.6 . --github-summary --no-network
Want a human to interpret or fix what the Action surfaces? Request a free launch-safety review. TaskBounty gets no access to your repo, source, or workflows unless you submit that form.
2. Agent / MCP — a local stdio server for Cursor, Claude Code, and Codex:
npx -y taskbounty-check@0.1.6 mcp
3. One-off CLI — scan the current repo locally and write a report:
npx -y taskbounty-check@0.1.6 .
Pin a version (
@0.1.6) in committed config and CI for reproducibility.@latestis convenient for a quick one-off, but a pinned version is the reproducible choice.
The Action writes a counts-only maintenance summary to the workflow run (categories and next steps, no filenames, line numbers, or repo source). Below is that exact summary, rendered from this repo's own CI output:

See it produced live by the self-check job in this repository's Actions runs.
Prefer a guided walkthrough? Follow the five-minute real-repository quickstart.
Checks (GitHub Actions + CI maintenance hygiene):
permissions: blockpull_request_target, script injection)Does NOT check (these need a manual review): exposed secrets, auth/authorization, payments, webhooks, runtime behavior. It is a maintenance/hygiene check, not a full security audit or a penetration test.
| Mode | Command | Network |
|---|---|---|
| Single repo | npx taskbounty-check . | none |
| Directory of repos | npx taskbounty-check ./all-repos | none |
| Explicit paths | npx taskbounty-check --manifest repos.json | none |
GitHub org (your gh session) | npx taskbounty-check --gh-org <org> | yes, opt-in |
--gh-org uses your existing gh CLI session to fetch each repo's wor