Hound MCP Server

1

Add it to Claude Code

Run this in a terminal.

Run in terminal
claude mcp add hound-mcp -- npx -y hound-mcp
README.md

The dependency bloodhound for AI coding agents.

Hound MCP

The dependency bloodhound for AI coding agents.

Hound MCP Deployment Diagram

Why Hound?

AI coding agents recommend and install packages without knowing if they're safe — and most security tools require accounts, API keys, or paid plans to tell you. Hound fixes that: it scans for vulnerabilities, checks licenses, audits dependency trees, and detects typosquatting across 7 ecosystems — zero config, zero API keys, zero cost.

Hound is the only security tool built specifically for AI coding agents — works across npm, PyPI, Go, Cargo, Maven, NuGet, and RubyGems, and plugs into Claude Code, Cursor, VS Code, and any MCP client out of the box.

It uses two fully free, unauthenticated public APIs: deps.dev (Google Open Source Insights) and OSV (Google Open Source Vulnerabilities).

Quickstart

Claude Code

claude mcp add hound -- npx -y hound-mcp

Claude Desktop / Cursor / Windsurf

Add to your MCP config file:

{
  "mcpServers": {
    "hound": {
      "command": "npx",
      "args": ["-y", "hound-mcp"]
    }
  }
}

VS Code (Copilot)

{
  "mcp": {
    "servers": {
      "hound": {
        "type": "stdio",
        "command": "npx",
        "args": ["-y", "hound-mcp"]
      }
    }
  }
}
Config file locations
Client Config path
Claude Desktop (macOS) ~/Library/Application Support/Claude/claude_desktop_config.json
Cursor ~/.cursor/mcp.json
Windsurf ~/.codeium/windsurf/mcp_config.json

Tools

12 tools → Full reference with example outputs

Tool What it does
hound_audit Scan an entire lockfile for vulnerabilities across all dependencies
hound_score 0–100 Hound Score (vulns + scorecard + recency + license) with letter grade
hound_compare Side-by-side comparison of two packages with a recommendation
hound_preinstall GO / CAUTION / NO-GO verdict before installing a package
hound_upgrade Find the minimum safe version upgrade that resolves all known vulns
hound_license_check Scan a lockfile for license compliance against a policy
hound_vulns All known vulnerabilities for a package version, grouped by severity
hound_inspect Full package profile — license, vulns, scorecard, stars, dep count
hound_tree Full resolved dependency tree with transitive deps
hound_typosquat Detect typosquatting variants of a package name
hound_advisories Full advisory details by GHSA, CVE, or OSV ID
hound_popular Scan popular packages for known vulnerabilities

Supported ecosystems: npm · pypi · go · maven · cargo · nuget · rubygems

Built-in Prompts

3 prompts you can invoke directly from your AI client. → Full prompt reference

Prompt What it does
security_audit Full project security audit — vulns, licenses, typosquats
package_evaluation Go/no-go recommendation before adding a new dependency
pre_release_check Pre-ship dependency scan that flags release blockers

Use Cases

See full examples with real lockfiles and expected output

  • Before merging a PR — scan the lockfile diff to catch newly introduced vulnerabilities before they land in main
  • Auditing an inherited codebase — run hound_audit on an existing lockfile to get a full report in seconds
  • Checking a package before adding it — use hound_preinstall to get a GO / CAUTION / NO-GO verdict
  • License compliance — run hound_license_check to ensure no GPL or AGPL packages sneak into a commercial project
  • CI security gate — ask your AI agent to run a security audit as part of every release check

Local Development

git clone https://github.com/tiluckdave/hound-mcp.git
cd hound-mcp
pnpm install
pnpm build
pnpm test         # run tests
pnpm check        # typecheck + lint + test

Roadmap

  • Docker support — run Hound as a container for CI/CD pipelines
  • bun.lockb parser — Bun lockfile support
  • gradle.lockfile parser — Gradle (Java/Android) ecosystem support
  • hound_diff tool — compare two lockfile snapshots to surface newly introduced risks
  • GitHub Action — run hound_audit as a PR check without an AI agent

Contributing

Contributions are welcome. Rea

Tools (12)

hound_auditScan an entire lockfile for vulnerabilities across all dependencies
hound_score0–100 Hound Score (vulns + scorecard + recency + license) with letter grade
hound_compareSide-by-side comparison of two packages with a recommendation
hound_preinstallGO / CAUTION / NO-GO verdict before installing a package
hound_upgradeFind the minimum safe version upgrade that resolves all known vulns
hound_license_checkScan a lockfile for license compliance against a policy
hound_vulnsAll known vulnerabilities for a package version, grouped by severity
hound_inspectFull package profile — license, vulns, scorecard, stars, dep count
hound_treeFull resolved dependency tree with transitive deps
hound_typosquatDetect typosquatting variants of a package name
hound_advisoriesFull advisory details by GHSA, CVE, or OSV ID
hound_popularScan popular packages for known vulnerabilities

Configuration

claude_desktop_config.json
{"mcpServers": {"hound": {"command": "npx", "args": ["-y", "hound-mcp"]}}}

Try it

Run a full security audit on my current project lockfile.
Check if the package 'lodash' is safe to install and if there are any typosquatting risks.
Compare the security score of 'express' versus 'fastify' for my new backend project.
Find the minimum safe version upgrade for my dependencies to resolve known vulnerabilities.
Scan my project dependencies to ensure no GPL or AGPL licenses are present.

Frequently Asked Questions

What are the key features of Hound MCP?

Scans for vulnerabilities, licenses, and dependency trees. Detects typosquatting variants of package names. Supports 7 ecosystems: npm, PyPI, Go, Cargo, Maven, NuGet, and RubyGems. Provides a 0-100 security score for packages. Zero API keys, zero configuration, and zero cost.

What can I use Hound MCP for?

Scanning lockfile diffs before merging a PR to catch new vulnerabilities. Auditing an inherited codebase to generate a security report. Evaluating a new package for safety before adding it to a project. Ensuring license compliance for commercial projects. Running automated security audits as part of a CI release check.

How do I install Hound MCP?

Install Hound MCP by running: claude mcp add hound -- npx -y hound-mcp

What MCP clients work with Hound MCP?

Hound MCP works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Hound MCP docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all ai-tools servers →

Related MCP Servers

Skill Seekers
The data layer for AI systems.
ai-tools11.1K stars
Context Mode
The other half of the context problem.
ai-tools5.6K stars
Semiotic
A React data visualization library designed for AI-assisted development.
ai-tools2.6K stars
RocketRide
Self-hosted, open-source AI pipeline platform for MCP tools
ai-tools1.6K stars
Context+
Semantic Intelligence for Large-Scale Engineering.
ai-tools1.5K stars
ShipSwift
AI-native SwiftUI component library — production-ready code for LLMs
ai-tools1.3K stars