io.github.goklab/guardvibe

guardvibe

Security MCP for vibe coding. 313 rules, 26 tools for AI-generated code.

1 582/wk 0 tools GitHub npm

No known CVEs

No license

Actively maintained

Last commit 0d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-goklab-guardvibe": {
      "args": [
        "-y",
        "guardvibe"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-goklab-guardvibe)](https://mcppedia.org/s/io-github-goklab-guardvibe)

Read me

What io.github.goklab/guardvibe does

The security MCP built for vibe coding. 335 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'guardvibe' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

58/100across 5 weighted dimensions

How we score →

0255075100

−42

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

Checked guardvibe against OSV.dev.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.goklab/guardvibe safe to use?: io.github.goklab/guardvibe has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.goklab/guardvibe?: io.github.goklab/guardvibe supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with io.github.goklab/guardvibe?: io.github.goklab/guardvibe is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is io.github.goklab/guardvibe actively maintained?: io.github.goklab/guardvibe is actively maintained — last commit was 0 days ago. It has 1 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Nothumanallowed91

Security-first platform for AI agents. 38 specialized agents, 15 AI-powered extensions, zero-knowledge multi-agent orchestration. SENTINEL WAF, Ed25519 auth, 2.6M grounding facts.

97 5

MCP Security Weekly

Get CVE alerts and security updates for io.github.goklab/guardvibe and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Why GuardVibe

Most security tools are built for enterprise security teams. GuardVibe is built for you — the developer using AI to build and ship web apps fast.

422 security rules, 36 tools purpose-built for the stacks AI agents generate

Zero setup friction — npx guardvibe and you're scanning

No account required — runs 100% locally, no API keys, no cloud

Understands your stack — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use

CVE version intelligence — detects 60 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV

AI agent & MCP security — detects MCP server vulnerabilities, tool-description prompt injection (OWASP MCP Top 10), model-controlled sandbox-disable flags, excessive AI permissions, indirect prompt injection

Auto-fix suggestions — fix_code tool returns concrete patches and structured edits the AI agent can apply mechanically. Coverage: hardcoded credentials → env-var migration; public-prefix LLM keys (NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_/REACT_APP_) → prefix removal; CORS wildcards → env allowlist; dangerouslyAllowBrowser flags → drop; sandbox bypass flags (unsafe/noSandbox/allowEval) → drop; agent loops → add maxSteps; raw-HTML React props → <ReactMarkdown>; missing auth checks → insert auth guard; SQL injection → parameterized queries; missing rate limiters / CSRF / security headers → snippet templates.

Pre-commit hook — block insecure code before it reaches your repo

CI/CD ready — GitHub Actions workflow with SARIF upload to Security tab

Agent-friendly output — JSON format for AI agents, Markdown for humans, SARIF for CI/CD

Plugin system — extend with community or premium rule packs

New in v3.1.x

Daily threat-intel pipeline — rule set tracks GHSA / OSV.dev / CISA KEV every day. v3.1.23 alone added 22 new CVE / supply-chain / AI-runtime rules covering the Next.js May 2026 13-advisory cluster, Drizzle ORM SQL identifier injection (CVE-2026-39356), Clerk clerkFrontendApiProxy SSRF (CVE-2026-34076), tRPC experimental_nextAppDirCaller prototype pollution (CVE-2025-68130), MikroORM SQL injection, angular-expressions filter RCE, @tanstack/* Mini Shai-Hulud supply-chain attack, Kysely JSON-path traversal, @nyariv/sandboxjs sandbox escape, OpenClaude dangerouslyDisableSandbox model-controlled flag, Strapi content-type builder SQL injection, LangSmith untrusted prompt-manifest deserialization, and more

OWASP MCP Top 10 alignment — VG1068 flags MCP / AI tool definitions whose description, instructions, or systemPrompt fields carry prompt-injection markers (ignore previous instructions, you are now, jailbreak mode, system prompt:, override safety, …); pair with VG1063 which catches dangerouslyDisableSandbox: true in agent runtimes

Inline suppress — // guardvibe-ignore VG001 silences individual findings per-line

CLI-first approach — npx guardvibe audit, npx guardvibe scan, `npx gua

Frequently Asked Questions

Is io.github.goklab/guardvibe safe to use?

io.github.goklab/guardvibe has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.goklab/guardvibe?

io.github.goklab/guardvibe supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with io.github.goklab/guardvibe?

io.github.goklab/guardvibe is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is io.github.goklab/guardvibe actively maintained?

io.github.goklab/guardvibe is actively maintained — last commit was 0 days ago. It has 1 GitHub stars.