codesafer
CodeSafer is an MCP server that scans AI-generated code for 9 categories of hidden security threats — including invisible Unicode, Trojan Source, homoglyphs, and rules file backdoors — using static analysis plus CodeBERT deep learning. Runs locally, free tier available.
README
CodeSafer (cleaner-code)
AI code security scanner as a Model Context Protocol (MCP) server. Detects hidden threats in AI-generated code that traditional linters miss.
Website: codesafer.org · MCP Clients: Claude Code, Cursor, VS Code + Copilot, Cline
Why CodeSafer?
AI coding assistants generate code fast — but who's checking it for hidden threats?
Recent supply-chain attacks show that malicious code can hide in ways human reviewers and traditional linters routinely miss:
- Invisible Unicode characters injected into identifiers (30+ variants)
- BiDi / Trojan Source attacks that reorder how code is displayed vs. executed (CVE-2021-42574)
- Homoglyphs — Cyrillic characters masquerading as Latin (CVE-2021-42694)
- Glassworm-style Unicode steganography hiding payloads in whitespace
- Rules file backdoors planted in
.cursorrules,CLAUDE.md, and other AI config files - Typosquatted dependencies in
package.json - Obfuscation patterns —
eval+ base64, reverse shells, packed payloads
CodeSafer scans for all of these before the code runs on your machine.
How it works
CodeSafer runs as a local MCP server. Your AI client (Claude Code, Cursor, etc.) calls its tools when reviewing or generating code, and findings are returned inline.
Hybrid detection:
- 8 static analysis scanners — deterministic rules for known attack categories (fast, zero false-negatives on the patterns they cover).
- CodeBERT deep analysis — transformer model classifies code chunks as malicious/benign with confidence scores. Catches obfuscated or novel patterns that static rules miss.
Nothing leaves your machine. The AI analysis runs locally against a tokenizer server.
Features
| Capability | Details |
|---|---|
| Invisible character detection | 30+ Unicode variants including Zero-Width Space, Mongolian Vowel Separator |
| BiDi / Trojan Source | Full CVE-2021-42574 coverage |
| Homoglyph detection | Cyrillic/Greek/Latin confusables (CVE-2021-42694) |
| Unicode steganography | Glassworm-style whitespace payloads |
| Rules file backdoors | Scans .cursorrules, CLAUDE.md, .claude/, Cursor rules |
| Dependency scanning | Typosquatting + suspicious install scripts in package.json |
| Obfuscation detection | eval + base64, reverse shells, packed payloads |
| AI deep analysis | CodeBERT transformer classifier with confidence scores |
| MCP native | 6 MCP tools, stdio transport |
| Local-first | No code uploaded — runs entirely on your machine |
MCP Tools
CodeSafer exposes six tools to your MCP client:
| Tool | Purpose |
|---|---|
scan_file |
Scan a single file for hidden malicious code patterns |
scan_directory |
Recursively scan a directory across all source files |
scan_rules_file |
Scan an AI configuration/rules file for prompt injection and Rules File Backdoor attacks |
check_dependencies |
Check package.json for typosquatting, suspicious install scripts, and dependency risks |
ai_analyze |
Deep AI analysis using the trained CodeBERT model (classifies chunks as malicious/benign with confidence) |
explain_finding |
Get detailed explanation of a specific threat category, with attack scenarios and remediation |
Installation
Prerequisites
- Node.js 18 or later
- An MCP-compatible client (Claude Code, Cursor, VS Code + Copilot, Cline)
From source
git clone https://github.com/goldmembrane/cleaner-code.git
cd cleaner-code
npm install
npm run build
Configure your MCP client
Claude Code (~/.claude.json or project .mcp.json):
{
"mcpServers": {
"codesafer": {
"command": "node",
"args": ["/absolute/path/to/cleaner-code/dist/index.js"]
}
}
}
Cursor (.cursor/mcp.json):
{
"mcpServers": {
"codesafer": {
"command": "node",
"args": ["/absolute/path/to/cleaner-code/dist/index.js"]
}
}
}
Restart your client, and CodeSafer tools will appear in the tool picker.
Usage
Once configured, ask your AI client things like:
- "Scan this file for hidden security issues."
- "Check the dependencies in package.json for typosquatting."
- "Scan
.cursorrulesfor a rules-file backdoor." - "Run a deep AI analysis of
src/auth.ts." - "Explain what a Trojan Source attack is and how to fix the finding above."
The client will call the appropriate MCP tool and return findings with severity, line numbers, and remediation guidance.
Free tier & Plans
CodeSafer is free to use. Static analysis (scan_file, scan_directory, scan_rules_file, check_dependencies, explain_finding) has no limits.
AI deep analysis (ai_analyze) includes 10 free runs per session. Paid plans for higher AI quotas are available at codesafer.org.
Detection categories
CodeSafer detects threats across 9 categories:
- Invisible Unicode characters — 30+ variants including Zero-Width Space, Zero-Width Joiner
- BiDi / Trojan Source attacks — CVE-2021-42574
- Homoglyphs — Cyrillic/Greek characters masquerading as Latin (CVE-2021-42694)
- Unicode steganography — Glassworm patterns in whitespace
- Rules file backdoors — malicious instructions in
.cursorrules,CLAUDE.md, etc. - Dependency risks — typosquatting and suspicious install scripts
- Obfuscation patterns —
eval+ base64, packed payloads, reverse shells - Static analysis findings — 8 deterministic scanners
- AI deep analysis — CodeBERT transformer for novel and obfuscated threats
Project structure
cleaner-code/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── api-server.ts # Optional HTTP API server
│ ├── types.ts # Scanner interfaces
│ ├── utils.ts # File collection, summary formatting
│ └── scanner/
│ ├── invisible.ts # Invisible Unicode scanner
│ ├── bidi.ts # BiDi / Trojan Source scanner
│ ├── homoglyph.ts # Homoglyph scanner
│ ├── encoding.ts # Encoding / charset scanner
│ ├── obfuscation.ts # Obfuscation pattern scanner
│ ├── steganography.ts # Unicode steganography scanner
│ ├── rules-backdoor.ts # Rules file backdoor scanner
│ ├── dependency.ts # Dependency risk scanner
│ └── ai-analyzer.ts # CodeBERT deep analyzer
├── ml/ # ML model assets and tokenizer
├── functions/ # Cloud function deployments
├── deploy/ # Deployment manifests
└── web/ # Landing page assets
License
ISC — see the LICENSE file for details.
Links
- Website: codesafer.org
- Model Context Protocol: modelcontextprotocol.io
- Report issues: GitHub Issues
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.