Back to MCP Servers

Socket Security MCP Server

Analyze npm, PyPI, and other package ecosystems for supply chain, quality, maintenance, vulnerability, and license risk via Socket's API.

Developer Tools by Socket API Key active
Connect (Remote Server) GitHub Docs npm: @socketsecurity/mcp
Overview

Socket MCP is the official Model Context Protocol server from Socket, exposing the Socket dependency intelligence API to AI assistants. It allows agents to check security and quality scores for packages across npm, PyPI, and other ecosystems before they get installed or recommended, giving developers a guardrail against supply chain attacks, typosquats, and risky transitive dependencies.

The server exposes a single primary tool, depscore, which accepts a batch of package identifiers (ecosystem, name, version) and returns Socket's composite scores: supply chain risk, quality, maintenance, vulnerability, and license. Because it accepts an array, an agent can score an entire package.json or requirements.txt in one call.

Socket runs a public hosted endpoint at https://mcp.socket.dev/ that requires no authentication for basic use, and the source is also available on GitHub (MIT licensed) as an npm package, @socketsecurity/mcp, that you can run locally over stdio or HTTP. Local deployments use a Socket API token with packages:list scope, and enterprise deployments can use OAuth.

Tools

Tool Description
depscore Returns Socket's security and quality scores (supply chain, quality, maintenance, vulnerability, license) for one or more packages. Accepts batched queries across ecosystems.
Setup Guide

Option 1: Use the hosted server (recommended)

Socket hosts a public MCP endpoint that requires no API token for basic usage. Add it to your MCP client config:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

One-click install buttons for VS Code, Cursor, and Claude Desktop are available in the repo README.

Option 2: Run locally over stdio

Install and run via npx. Requires Node.js v16+ (v22+ recommended) and a Socket API token with the packages:list scope, available from your Socket dashboard.

{
  "mcpServers": {
    "socket-mcp": {
      "command": "npx",
      "args": ["@socketsecurity/mcp@latest"],
      "env": {
        "SOCKET_API_TOKEN": "your-api-token-here"
      }
    }
  }
}

Option 3: Run locally over HTTP

Start the server locally (it exposes a GET /health endpoint and supports OAuth for enterprise setups), then point your client at it:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "http://localhost:3000"
    }
  }
}

A Dockerfile is included in the repo for containerized deployments.

Use Cases
  • Pre-install vetting: have the agent score every dependency in a proposed package.json or requirements.txt diff before merging
  • Triage existing supply chain risk by batching all production dependencies through depscore and ranking by supply chain or vulnerability score
  • Block typosquat or malware suggestions when an LLM proposes adding an unfamiliar npm or PyPI package to a project
  • Generate a security-aware dependency report during code review or PR description drafting
  • Compare alternatives: ask the agent to score lodash vs radash, or requests vs httpx, before recommending one
Example Prompts
  • "Score every dependency in this package.json using Socket and flag any with a supply chain score below 70."
  • "Before you add left-pad to the project, check its Socket depscore."
  • "Run depscore on requests==2.31.0 and httpx==0.27.0 from PyPI and tell me which is safer to adopt."
  • "Pull the dependency list from requirements.txt and give me a markdown table of Socket vulnerability and maintenance scores."
  • "An LLM suggested chalk-colors and node-ipc. Check both with Socket and warn me if either is a known malicious package."
Pros
  • Official server maintained by Socket, MIT licensed, with a free hosted endpoint at mcp.socket.dev
  • Batch input means an agent can score an entire dependency manifest in a single tool call
  • Supports multiple ecosystems (npm, PyPI, and others) through one consistent tool
  • Multiple deployment options: hosted HTTP, local stdio via npx, local HTTP, or Docker
Limitations
  • Only one tool (depscore); no endpoints for fetching detailed issue lists, alerts, or org-level policy data
  • Local deployments require a Socket account and an API token with the right scope
  • Score interpretation depends on Socket's proprietary scoring model, which is not fully transparent
Alternatives
  • Snyk MCP for vulnerability scanning across code and dependencies
  • GitHub MCP server which exposes Dependabot alerts and advisory data
  • OSV.dev queried via a generic HTTP MCP tool for open-source vulnerability lookups
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.