Back to MCP Servers

Depscope

Package Intelligence for AI agents. 22 tools across 17 ecosystems (npm/pypi/cargo/go/maven/nuget/rubygems/composer/pub/hex/swift/cocoapods/cpan/hackage/cran/conda/homebrew) — check health, vulnerabilities (OSV + CISA KEV + EPSS), typosquats, malicious flags, alternatives, known …

securitygoswiftaiagent
By cuttalo
0Updated 1 month agoNOASSERTION

Installation

npx depscope-mcp

Configuration

{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["-y", "depscope"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes

DepScope

Package Intelligence for AI Agents. Stops AI coding agents (Claude, ChatGPT, Cursor, Windsurf, Copilot, Cline) from installing hallucinated, deprecated, or malicious packages across 19 ecosystems.

Live at depscope.dev · 8.4M+ packages · 42K+ vulnerabilities (99% EPSS-enriched) · zero auth · free


Quick start (MCP)

Claude Desktop / Cursor / Windsurf — remote

{
  "mcpServers": {
    "depscope": {
      "url": "https://mcp.depscope.dev/mcp"
    }
  }
}

Claude Code / local — stdio

{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["-y", "depscope-mcp"]
    }
  }
}

The MCP server source is at cuttalo/depscope-mcp (AGPL-3.0).


What it does

22 MCP tools across 19 package ecosystems:

npm · pypi · cargo · go · composer · maven · nuget · rubygems · pub · hex · swift · cocoapods · cpan · hackage · cran · conda · homebrew · jsr · julia

ToolPurpose
check_packageFull safety check: deprecation · vulnerabilities · health · recommendation
check_maliciousMalicious-package detector
check_typosquatTyposquat detection vs popular names
package_existsHallucination detector (404 = LLM invented it)
get_health_score0–100 health score with breakdown
get_vulnerabilitiesVulnerabilities + severity scoring
find_alternativesSuggested alternatives for deprecated/abandoned packages
get_breaking_changesMajor-version migration notes
get_known_bugsKnown issues for a package
compare_packagesSide-by-side comparison
check_compatibilityStack-level compatibility check
resolve_errorError message → likely cause + fix
install_commandVerified install command for the target ecosystem
get_latest_versionLatest stable version + maturity signal
pin_safeSuggested safe version pin
get_trust_signalsMulti-signal trust score
get_migration_pathStep-by-step upgrade plan
scan_projectBulk scan of dependency manifests
check_bulkFast pre-flight filter for batches
get_trendingTrending packages by ecosystem
get_package_promptCompact LLM-friendly summary
contact_depscopeReport a missing package or false positive

REST API

Same data, plain HTTPS — no MCP client needed.

curl https://depscope.dev/api/check/npm/lodash
curl https://depscope.dev/api/check/pypi/requests
curl https://depscope.dev/api/check/cargo/serde

Full reference: depscope.dev/integrate


Why

LLMs frequently invent package names that look real but don't exist (fastapi-turbo, lodahs, tokio-stream-extras). When an agent tries to install one, it can hit an attacker's typosquat. DepScope verifies every package before install.

Read more: depscope.dev/why


Pricing

Free. No auth required. Generous rate limits.

If you need higher quotas, SLA, or on-prem deployment, contact us at depscope@cuttalo.com.


Open source vs proprietary

This repository is a landing page with documentation only.

This split lets us keep the client free, auditable, and community-extensible while sustaining the infrastructure that powers it.


Links


License

This README and accompanying landing files: CC-BY-4.0. MCP client SDK: AGPL-3.0 (see cuttalo/depscope-mcp). Backend service: proprietary.


Built by Cuttalo srl · Italy 🇮🇹

View source on GitHub