Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"hound": {
"args": [
"-y",
"hound-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
The dependency bloodhound for AI coding agents.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'hound-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked hound-mcp against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
Manage Supabase projects — databases, auth, storage, and edge functions
MCP Security Weekly
Get CVE alerts and security updates for io.github.tiluckdave/hound and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
The dependency bloodhound for AI coding agents.
AI coding agents recommend and install packages without knowing if they're safe — and most security tools require accounts, API keys, or paid plans to tell you. Hound fixes that: it scans for vulnerabilities, checks licenses, audits dependency trees, and detects typosquatting across 7 ecosystems — zero config, zero API keys, zero cost.
Hound is the only security tool built specifically for AI coding agents — works across npm, PyPI, Go, Cargo, Maven, NuGet, and RubyGems, and plugs into Claude Code, Cursor, VS Code, and any MCP client out of the box.
It uses two fully free, unauthenticated public APIs: deps.dev (Google Open Source Insights) and OSV (Google Open Source Vulnerabilities).
claude mcp add hound -- npx -y hound-mcp
Add to your MCP config file:
{
"mcpServers": {
"hound": {
"command": "npx",
"args": ["-y", "hound-mcp"]
}
}
}
{
"mcp": {
"servers": {
"hound": {
"type": "stdio",
"command": "npx",
"args": ["-y", "hound-mcp"]
}
}
}
}
| Client | Config path |
|---|---|
| Claude Desktop (macOS) | ~/Library/Application Support/Claude/claude_desktop_config.json |
| Cursor | ~/.cursor/mcp.json |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
12 tools → Full reference with example outputs
| Tool | What it does |
|---|---|
hound_audit ⭐ | Scan an entire lockfile for vulnerabilities across all dependencies |
hound_score | 0–100 Hound Score (vulns + scorecard + recency + license) with letter grade |
hound_compare | Side-by-side comparison of two packages with a recommendation |
hound_preinstall | GO / CAUTION / NO-GO verdict before installing a package |
hound_upgrade | Find the minimum safe version upgrade that resolves all known vulns |
hound_license_check | Scan a lockfile for license compliance against a policy |
hound_vulns | All known vulnerabilities for a package version, grouped by severity |
hound_inspect | Full package profile — license, vulns, scorecard, stars, dep count |
hound_tree | Full resolved dependency tree with transitive deps |
hound_typosquat | Detect typosquatting variants of a package name |
hound_advisories | Full advisory details by GHSA, CVE, or OSV ID |
hound_popular | Scan popular packages for known vulnerabilities |
Supported ecosystems: npm · pypi · go · maven · cargo · nuget · rubygems
3 prompts yo