Announcement

Attestd MCP: Give Your AI Agent a Hard Security Gate on Every Dependency

RobertUpdated May 22, 20264 min read
Dark terminal-style feature image. White text reads: Block or proceed? The agent needs to know. Below it: mcp.attestd.io in teal monospace. Attestd branding bottom left.

Attestd MCP: Give Your AI Agent a Hard Security Gate on Every Dependency#

AI agents are making real deployment decisions. They resolve dependencies, recommend package versions, write Dockerfiles, and approve infrastructure changes. Most of them do this with no access to structured security data.

The problem is not that agents ignore security. The problem is that the data they have access to requires interpretation. An agent that reads a CVSS score of 7.8 has no reliable way to decide whether to block or proceed. "High severity" is not a policy. It is a label that requires human judgment to translate into action.

Attestd MCP gives agents a structured signal instead. riskState: "critical" means block. activelyExploited: true means block. supplyChainCompromised: true means the package itself was malicious, not just vulnerable. outsideCoverage: true means no data is available and the agent is told to treat that as unknown risk, not safe. Policy becomes a conditional, not an inference.

The node-ipc case#

Three versions of node-ipc were compromised this week. 690,000 weekly downloads. The malicious code executed automatically on import and exfiltrated credentials via DNS TXT queries to blend with normal DNS traffic. No CVE exists. npm audit returns clean for all three affected versions.

An agent with access to the Attestd MCP tool would have caught it:

text
check_package_vulnerability("node-ipc", "9.1.6")
→ riskState: "none", supplyChainCompromised: true
  "Malicious code in node-ipc (npm)"

riskState is "none". No CVEs. The supply chain signal is the only detector. The agent sees both signals independently and can branch on either.

Two ways to connect#

Hosted server (no install)#

Add one block to your Claude Code, Cursor, or any HTTP MCP client config:

json
{
  "mcpServers": {
    "attestd": {
      "url": "https://mcp.attestd.io/mcp",
      "headers": {
        "Authorization": "Bearer atst_..."
      }
    }
  }
}

Restart. Done. No Node.js required. No local process. Also available on Smithery for one-click connect flows.

stdio package (local)#

For users who prefer a local setup:

json
{
  "mcpServers": {
    "attestd": {
      "command": "npx",
      "args": ["-y", "@attestd/mcp"],
      "env": {
        "ATTESTD_API_KEY": "atst_..."
      }
    }
  }
}

Same two tools, same API, different transport. Both options are available and both are supported.

The two tools#

check_package_vulnerability#

Pass a product slug and version. Get back a structured result the model can act on directly without interpretation.

json
{
  "outsideCoverage": false,
  "riskState": "critical",
  "activelyExploited": true,
  "patchAvailable": true,
  "fixedVersion": "2.15.0",
  "supplyChainCompromised": false,
  "supplyChainDescription": null
}

riskState covers CVE severity derived from NVD and the CISA KEV catalog. activelyExploited is the CISA KEV signal directly. supplyChainCompromised is the malicious publish signal for PyPI and npm packages. The two signals are independent. A package can have riskState: "none" and supplyChainCompromised: true simultaneously. Every real supply chain attack covered by Attestd this year has been in exactly that state.

outsideCoverage: true means the product is not in Attestd's catalog. The tool instructs the model to treat this as unknown risk. An agent cannot treat an unsupported product as clean by default.

list_covered_products#

No API key required. Returns all 62 covered infrastructure products and their slugs. The model calls this first when unsure whether a product is supported before checking it.

What the agent can do with it#

With Attestd as an MCP tool, Claude Code can check any dependency before recommending it, flag vulnerable versions inline while writing deployment configuration, surface supply chain compromise signals that no CVE scanner would catch, and recommend upgrade paths via fixedVersion when a patch exists.

The tool description instructs the model to call check_package_vulnerability before deploying or recommending any software dependency. The structured return format gives the model unambiguous fields to branch on.

Links#