Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-hookwarden-mcp": {
"args": [
"-y",
"hookwarden"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Local. Deterministic. Zero-network. JS/TS + Python + PHP + Go. Five minutes from npx to fix.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'hookwarden' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked hookwarden against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in communication / ecommerce
Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite
A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API
PubNub Model Context Protocol MCP Server for Cursor and Claude
Argentine business automation: Mercado Pago, AFIP/ARCA, WhatsApp, banking, shipping (7 packages).
MCP Security Weekly
Get CVE alerts and security updates for io.github.Hookwarden/mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
The only scanner laser-focused on webhook signature verification.
Local. Deterministic. Zero-network. JS/TS + Python + PHP + Go. Five minutes from npx to fix.
npx hookwarden scan ./your-app
No traffic leaves your machine. No telemetry. No SaaS sign-up required.
📖 Full documentation: docs.hookwarden.dev
Every Sunday at 22:00 UTC, this repo's CI runs hookwarden against 45 popular open-source projects — currently cal.com, documenso, formbricks, twenty, plane, unkey, typebot, papermark (full target list, combined ★190k+) — to prove the scanner works on real production code.
Latest sweep — 2026-06-09 · 20/45 projects clean (zero critical/high)
| Provider | 🚨 critical | ⚠️ high | 🟡 manual-review | Rules that fired |
|---|---|---|---|---|
| n8n integrations | 81 | 0 | 0 | n8n/missing-signature-verification (×78)n8n/raw-body-misuse (×3) |
| Slack integrations | 7 | 1 | 0 | slack/missing-signature-verification (×7)slack/verify-after-side-effect (×1) |
| Standard Webhooks integrations | 7 | 0 | 0 | standardwebhooks/missing-signature-verification (×3)standardwebhooks/raw-body-misuse (×4) |
| Stripe integrations | 6 | 0 | 0 | stripe/hardcoded-secret-prefix (×2)stripe/missing-signature-verification (×4) |
| GitHub integrations | 0 | 0 | 0 | — |
| Shopify integrations | 0 | 0 | 0 | — |
| Square integrations | 0 | 0 | 0 | — |
| Twilio integrations | 0 | 0 | 0 | — |
_These are bugs in the webhook handlers that receive provider events — flaws in the integrating pr