v1vu1nz

MCP server

Connect any MCP-aware agent to vu1nz.

Streamable HTTP MCP, protocol revision 2025-06-18. Stateless, wide-open CORS, no authentication. One endpoint, seven tools, two prompts. Read-only.

Connect Claude DesktopOpen endpoint

Endpoint

One URL. Stateless. No auth.

text
https://vu1nz.com/api/mcp

Server card at /.well-known/mcp/server-card.json — auto-discoverable per the MCP agent-readiness pattern.

Tools

Seven tools. CWE-mapped. Same engine as the website.

scan_repo(repo)1 required arg

Run vu1nz's 6 deterministic CI/CD security checks against any public GitHub repository's workflow files. Returns findings with severity, file, line, CWE, and recommendation.

threat_feed(limit?)

Recent malicious packages caught in the wild across npm, pip, cargo, rubygems. Sourced from OSV.dev with a curated fallback list (Shai-Hulud, Polyfill.io, ctx, ua-parser-js, etc.).

list_checks()

The catalog of CI/CD security checks vu1nz runs, each mapped to a CWE. Use to explain to a user what vu1nz would catch on their PRs.

list_advisories()

vu1nz-published security advisories with date, severity, and summary.

list_blog_posts()

All vu1nz blog posts: supply-chain analysis, release notes, security research. Returns slug, title, date, tags, summary, and URL.

get_blog_post(slug)1 required arg

Full content of a vu1nz blog post by slug.

check_license(github_org, license_key?)1 required arg

Look up the vu1nz subscription status for a GitHub org. Bootstraps a 14-day free trial on first call. Returns ok, status (trialing/active/past_due/cancelled/exempt), days remaining, license_key, and upgrade URL.

Prompts

Pre-baked instructions for common audits.

audit_repo(repo)

Run vu1nz's CI/CD security scan on a GitHub repository and write up the findings with severity, location, and prioritised remediation.

what_dependabot_misses()

Explain the gaps in Dependabot's coverage using vu1nz's catalog of recent supply-chain attacks. Useful as a pre-sales answer.

Claude Desktop

Connect Claude Desktop.

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows) and add:

json
{
  "mcpServers": {
    "vu1nz": {
      "transport": "http",
      "url": "https://vu1nz.com/api/mcp"
    }
  }
}

Restart Claude Desktop. The vu1nz tools appear under the connector menu. No client SDK to install. No token to manage.

Other clients

Any MCP-aware client. One URL.

Cursor, Continue, the official MCP Inspector, or your own MCP client — all you need is the URL above. Streamable HTTP transport, protocol revision 2025-06-18.

Raw JSON-RPC

Hit it with curl if you just want to test:

bash
curl -sX POST https://vu1nz.com/api/mcp \
  -H 'Content-Type: application/json' \
  -d '{
    "jsonrpc":"2.0",
    "id":1,
    "method":"tools/call",
    "params":{
      "name":"scan_repo",
      "arguments":{"repo":"vercel/next.js"}
    }
  }'

Design notes

Why it's built this way.

  • Single source of truth. Every MCP tool reuses the same code paths the website calls (the public scanner, the threat feed, the license logic). No drift between what an AI agent sees and what a human sees on vu1nz.com.
  • Stateless. Every JSON-RPC request is independent. No sessions, no SSE, no Mcp-Session-Id. Easy to deploy behind any CDN.
  • No auth, public data. Wide-open CORS. Cookies aren't honoured. The only action that costs money is scan_repo, and it hits GitHub's public REST API — same throughput as the homepage scanner.
  • Discoverable. Server card at /.well-known/mcp/server-card.json, a Link: rel="mcp" response header on every page, and source under src/lib/mcp/ in the repo.

Try it

Add vu1nz to your AI agent in 30 seconds.

One URL. Seven tools. Stop installing one-off integrations.

Get the config snippetWhat is MCP?