README.md
VibeCheck MCP Server
AI-powered security audit tool for codebases. Analyzes code for vulnerabilities using real-time data from MITRE CWE and npm audit.
Features
- AI-Powered Analysis: Uses MCP sampling to analyze code with Claude
- Real-Time CWE Data: Fetches vulnerability definitions from MITRE's CWE API
- Dependency Scanning: Uses npm audit for package vulnerability checks
- Zero Configuration: No API keys required to get started
Installation
Claude Code (Recommended)
/plugin marketplace add philiphess1/vibecheck-mcp
/plugin install vibecheck@vibecheck
Manual Installation
Add to your Claude Desktop config (~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"vibecheck": {
"command": "npx",
"args": ["-y", "vibecheck-audit-mcp"]
}
}
}
From Source
git clone https://github.com/philiphess1/vibecheck-mcp.git
cd vibecheck-mcp
npm install && npm run build
Tools
scan_codebase
Full AI-powered security audit with real-time vulnerability data.
Analyzes:
- Authentication and authorization issues
- API security vulnerabilities
- Database security rules
- Exposed secrets and environment variables
- Dependency vulnerabilities (via npm audit)
- Data flow and injection vulnerabilities
Input:
{
"path": "/path/to/codebase",
"categories": ["auth", "api", "secrets-env"],
"severityThreshold": "medium"
}
Or provide files directly:
{
"files": [
{ "path": "src/auth.ts", "content": "..." }
]
}
Categories:
auth- Authentication, sessions, middlewareapi- API routes, endpointsdatabase-rules- Firebase/Supabase rules, Prisma schemassecrets-env- Environment variables, config filesdependencies- package.json vulnerabilitiesdata-flow- User input handling, injection points
check_dependencies
Quick dependency-only scan using npm audit.
Input:
{
"path": "/path/to/project",
"includeDevDependencies": false
}
Requirements:
- npm installed
package-lock.jsonin the project
Data Sources
| Source | Purpose | Auth Required |
|---|---|---|
| MITRE CWE API | Vulnerability definitions | No |
| npm audit | Package CVEs | No |
| OWASP | Security categories | No (bundled) |
Development
# Build
npm run build
# Watch mode
npm run dev
# Run directly
npm start
How It Works
- File Reading: Reads files from the specified path or accepts file contents directly
- Hotspot Collection: Categorizes files by security relevance (auth, api, secrets, etc.)
- Dependency Audit: Runs
npm auditif package-lock.json exists - AI Analysis: Uses MCP sampling to analyze each category with expert prompts
- CWE Enrichment: Fetches relevant CWE definitions from MITRE API
- Results: Returns structured findings with severity, CWE/OWASP refs, and remediation steps
Output Format
{
"findings": [
{
"id": "uuid",
"type": "hardcoded-secret",
"severity": "critical",
"title": "Hardcoded API Key",
"description": "...",
"filePath": "src/config.ts",
"lineNumber": 42,
"codeSnippet": "const API_KEY = 'sk-...'",
"aiReasoning": "...",
"confidence": 95,
"cwes": [{ "id": "CWE-798", "name": "..." }],
"owasp": [{ "id": "A02:2021", "name": "..." }],
"remediation": {
"summary": "Use environment variables",
"steps": ["..."]
}
}
],
"dependencyVulnerabilities": [...],
"summary": {
"totalFindings": 5,
"critical": 1,
"high": 2,
"medium": 2,
"low": 0,
"vulnerableDependencies": 3
},
"scanDuration": 12500
}
License
MIT
Tools 2
scan_codebaseFull AI-powered security audit with real-time vulnerability data.check_dependenciesQuick dependency-only scan using npm audit.Try it
→Scan my current project codebase for authentication and API security vulnerabilities.
→Run a dependency audit on my project to check for known vulnerabilities in package-lock.json.
→Perform a security audit on the src/auth.ts file and suggest remediation steps.
→Check my codebase for any hardcoded secrets or environment variables that might be exposed.