Hound MCP
The dependency bloodhound for AI coding agents. Hound is a free, open-source MCP server that gives AI coding agents a nose for supply chain security. It scans packages for vulnerabilities, checks licenses, inspects dependency trees, and detects typosquatting — with zero API keys, zero config, and zero cost.
README
Hound MCP
The dependency bloodhound for AI coding agents.
Hound is a free, open-source MCP server that gives AI coding agents a nose for supply chain security. It scans packages for vulnerabilities, checks licenses, inspects dependency trees, and detects typosquatting — with zero API keys, zero config, and zero cost.
<a href="https://glama.ai/mcp/servers/tiluckdave/hound-mcp"> <img width="380" height="200" src="https://glama.ai/mcp/servers/tiluckdave/hound-mcp/badge" alt="Hound MCP server" /> </a>
Why Hound?
Most security tools require accounts, API keys, or paid plans. Hound uses only two fully free, unauthenticated public APIs:
- deps.dev (Google Open Source Insights) — package metadata, dependency trees, licenses, OpenSSF Scorecard
- OSV (Google Open Source Vulnerabilities) — CVEs, GHSAs, fix versions
No sign-up. No config. Just install and go.
Quickstart
Claude Code
claude mcp add hound -- npx -y hound-mcp
Claude Desktop / Cursor / Windsurf
Add to your MCP config file:
{
"mcpServers": {
"hound": {
"command": "npx",
"args": ["-y", "hound-mcp"]
}
}
}
Config file locations:
- Claude Desktop (macOS):
~/Library/Application Support/Claude/claude_desktop_config.json - Cursor:
~/.cursor/mcp.json - Windsurf:
~/.codeium/windsurf/mcp_config.json
VS Code (Copilot)
{
"mcp": {
"servers": {
"hound": {
"type": "stdio",
"command": "npx",
"args": ["-y", "hound-mcp"]
}
}
}
}
Tools
Hound registers 12 tools in your MCP client.
hound_audit ⭐
Scan a whole project by passing your lockfile content. Parses package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo.lock, or go.sum and batch-queries OSV for vulnerabilities across all dependencies.
hound_audit(lockfile_name: "package-lock.json", lockfile_content: "<contents>")
hound_vulns
List all known vulnerabilities for a package version, grouped by severity with fix versions.
hound_vulns(name: "express", version: "4.18.2", ecosystem: "npm")
hound_inspect
Comprehensive package profile — licenses, vulnerabilities, OpenSSF Scorecard, GitHub stars, and dependency count in one call.
hound_inspect(name: "lodash", version: "4.17.21", ecosystem: "npm")
hound_score
Compute a 0–100 Hound Score combining vulnerability severity (40 pts), OpenSSF Scorecard (25 pts), release recency (20 pts), and license risk (15 pts). Returns a letter grade A–F with a full breakdown.
hound_score(name: "express", version: "4.18.2", ecosystem: "npm")
hound_upgrade
Find the minimum version upgrade that resolves all known vulnerabilities. Checks every published version and returns the nearest safe one.
hound_upgrade(name: "lodash", version: "4.17.20", ecosystem: "npm")
hound_compare
Side-by-side comparison of two packages across vulnerabilities, OpenSSF Scorecard, GitHub stars, release recency, and license. Returns a recommendation.
hound_compare(package_a: "express", package_b: "fastify", ecosystem: "npm")
hound_preinstall
Safety check before installing a package. Checks vulnerabilities, typosquatting risk, abandonment, and license. Returns a GO / CAUTION / NO-GO verdict.
hound_preinstall(name: "some-package", version: "1.0.0", ecosystem: "npm")
hound_tree
Full resolved dependency tree including all transitive dependencies, with depth and relation type.
hound_tree(name: "next", version: "14.2.0", ecosystem: "npm", maxDepth: 3)
hound_advisories
Full advisory details by ID — works with GHSA, CVE, and OSV IDs.
hound_advisories(id: "GHSA-rv95-896h-c2vc")
hound_advisories(id: "CVE-2024-29041")
hound_typosquat
Generates likely typo variants of a package name and checks which ones exist in the registry — surfaces potential typosquatting attacks.
hound_typosquat(name: "lodash", ecosystem: "npm")
hound_license_check
Scan a lockfile for license compliance. Resolves licenses for all dependencies and flags packages that violate the chosen policy.
hound_license_check(lockfile_name: "package-lock.json", lockfile_content: "<contents>", policy: "permissive")
Policies: permissive (MIT/Apache/BSD only), copyleft (allows GPL but not AGPL), none (report only).
hound_popular
Scan a list of popular (or user-specified) packages for known vulnerabilities. Great for a quick ecosystem health check.
hound_popular(ecosystem: "npm")
hound_popular(ecosystem: "pypi", packages: ["requests", "flask", "django"])
Supported Ecosystems
| Ecosystem | Value |
|---|---|
| npm | npm |
| PyPI | pypi |
| Go | go |
| Maven | maven |
| Cargo (Rust) | cargo |
| NuGet (.NET) | nuget |
| RubyGems | rubygems |
Built-in Prompts
Hound ships with 3 MCP prompts you can invoke directly from your AI client.
security_audit
Full project security audit — scans for vulnerabilities, license issues, and typosquat risks.
/security_audit ecosystem="npm"
package_evaluation
Go/no-go recommendation before adding a new dependency.
/package_evaluation package="axios" version="1.6.0" ecosystem="npm"
pre_release_check
Pre-ship dependency scan that flags release blockers.
/pre_release_check version="1.2.0"
Local Development
# Clone
git clone https://github.com/tiluckdave/hound-mcp.git
cd hound-mcp
# Install
pnpm install
# Build
pnpm build
# Test
pnpm test
# Lint
pnpm lint
# Format
pnpm format
# Run all checks (typecheck + lint + test)
pnpm check
# Run locally as MCP server
node dist/index.js
Contributing
Contributions are welcome. Read CONTRIBUTING.md first — the one rule is zero API keys, forever. Hound must always work without any account or authentication.
License
MIT © 2026 Tilak Dave
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.