@graneth/mcp-server
@graneth/mcp-server
An account-free Model Context Protocol server that catches AI-hallucinated dependencies and hardcoded secrets in your staged changes before you commit — straight inside your AI coding agent.
It exposes a single, always-free tool over stdio:
pre_flight_check
Give it your staged files (path + content). It will:
- Detect hallucinated / slopsquatted packages — every imported package is checked live against the npm and PyPI registries. A package that doesn't exist (404) is the hallmark of an AI-invented dependency an attacker may have pre-registered. → BLOCKED.
- Flag brand-new packages (published < 30 days ago) — the prime slopsquatting attack window. → REVIEW_REQUIRED.
- Catch hardcoded secrets — known credential patterns (AWS, GitHub, Slack,
OpenAI/Stripe
sk-…, PEM private keys) plus Shannon-entropy analysis with semantic variable-name context. → BLOCKED / REVIEW_REQUIRED.
No Graneth account, API key, or hosted backend is required. The checks run locally; the only network calls are to the public npm/PyPI registries.
Install / run
npx -y @graneth/mcp-serverConfigure your agent
Add it to your MCP client config (Claude Code, Cursor, …):
{
"mcpServers": {
"graneth": {
"command": "npx",
"args": ["-y", "@graneth/mcp-server"]
}
}
}Then ask your agent to run pre_flight_check before suggesting a commit. A
BLOCKED verdict means: do not commit until the CRITICAL findings are fixed.
Verdicts
| Verdict | Meaning |
|---|---|
CLEAR |
No issues — safe to commit. |
REVIEW_REQUIRED |
Warnings to confirm (new packages, lower-confidence). |
BLOCKED |
Critical issues (non-existent package / secret) — do not commit. |
How it relates to Graneth
This server shares its detection core with the hosted
Graneth scanner via the internal @graneth/core-checks
module, so local pre-flight results match what the full PR scan would find.
License
MIT