Skip to content

alavesa/patchpilots-mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
src
src
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

patchpilots-mcp

npm version license

PatchPilots security and accessibility agents as an MCP server. Catch supply chain attacks, security anti-patterns, and accessibility issues inside Claude Code, Cursor, and any MCP-compatible IDE.

What it does

Three tools, one server:

Tool What it scans
security_scan OWASP Top 10 audit — injection, XSS, auth flaws, secrets, crypto issues, misconfigurations. Returns findings with CWE references.
scan_dependencies Supply chain risk scanner — typosquatting, postinstall scripts, scope changes, unmaintained packages, known vulnerabilities.
design_audit WCAG 2.1 AA accessibility audit — color contrast, semantic HTML, keyboard navigation, ARIA, focus management, design tokens, CSS consistency. Returns findings with WCAG success criterion references.

All return structured JSON with severity, impact, and remediation for every finding.

Install

Claude Code

// ~/.claude.json or project .claude.json
{
  "mcpServers": {
    "patchpilots": {
      "command": "npx",
      "args": ["-y", "patchpilots-mcp"],
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

Cursor

// .cursor/mcp.json
{
  "mcpServers": {
    "patchpilots": {
      "command": "npx",
      "args": ["-y", "patchpilots-mcp"],
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

VS Code

// .vscode/mcp.json
{
  "servers": {
    "patchpilots": {
      "command": "npx",
      "args": ["-y", "patchpilots-mcp"],
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

API key

The server looks for your Anthropic API key in this order:

  1. ANTHROPIC_API_KEY environment variable
  2. apiKey field in ~/.patchpilots.json

If you already use PatchPilots CLI, your global config works automatically.

Tools

security_scan

path:     string   — file or directory to scan
severity: string   — minimum severity: "critical" | "high" | "medium" | "low" (default: "medium")
roast:    boolean? — brutally honest commentary (default: false)
model:    string?  — Claude model (default: claude-sonnet-4-6)

Returns:

{
  "findings": [
    {
      "file": "src/auth.ts",
      "line": 42,
      "severity": "critical",
      "category": "injection",
      "cwe": "CWE-89",
      "title": "SQL injection in user lookup",
      "description": "User input concatenated into SQL query...",
      "impact": "Full database access...",
      "remediation": "Use parameterized queries..."
    }
  ],
  "riskScore": "critical",
  "summary": "Found 3 security issues..."
}

scan_dependencies

path:   string   — path to package.json or project root
model:  string?  — Claude model (default: claude-sonnet-4-6)

Returns:

{
  "risks": [
    {
      "package": "event-stream",
      "severity": "critical",
      "category": "known-vulnerability",
      "title": "Compromised package with malicious code",
      "description": "...",
      "remediation": "Remove and replace with..."
    }
  ],
  "riskScore": "high",
  "summary": "Found 2 supply chain risks...",
  "stats": {
    "totalDeps": 15,
    "totalDevDeps": 8,
    "risksFound": 2
  }
}

design_audit

path:     string   — file or directory to audit
severity: string   — minimum severity: "critical" | "high" | "medium" | "low" (default: "medium")
roast:    boolean? — brutally honest commentary (default: false)
model:    string?  — Claude model (default: claude-sonnet-4-6)

Returns:

{
  "findings": [
    {
      "file": "src/components/Button.tsx",
      "line": 15,
      "severity": "high",
      "category": "accessibility",
      "wcagRef": "WCAG 2.1 SC 4.1.2",
      "title": "div with onClick instead of button element",
      "description": "Interactive element uses div with onClick...",
      "remediation": "Replace <div onClick=...> with <button>..."
    }
  ],
  "designHealthScore": "high",
  "summary": "Found 4 accessibility issues..."
}

Fun features

Risk emojis — every scan shows a visual risk score: 🟢 none 🟡 low 🟠 medium 🔴 high 💀 critical

Clean scan badges — pass with no findings and get a README badge:

[![Reviewed by PatchPilots](https://img.shields.io/badge/reviewed%20by-PatchPilots%20🔒-blueviolet)](https://github.com/alavesa/patchpilots)

Roast mode — set roast=true on security_scan or design_audit for brutally honest, funny commentary on your findings. Same structured output, spicier language. Try asking your IDE:

"roast the accessibility of my code"

When to use what

CLI GitHub Action MCP (this)
When You run it manually Every PR automatically On demand in conversation
Where Terminal GitHub CI Inside your IDE
Agents All 8 All 8 Security + deps + design
Follow-up Read output, act yourself Read PR comment, act yourself Ask assistant to explain and fix
Safety net No — you remember to run it Yes — always runs No — only when IDE is open

Need the full crew? Use the PatchPilots CLI — all 8 agents in one command:

npx patchpilots audit ./src --write

Want automatic PR reviews? Add the PatchPilots GitHub Action:

- uses: alavesa/patchpilots@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

All three use the same analysis. The MCP server is for real-time, conversational security and accessibility scanning while you code. The CLI and Action cover the rest.

License

MIT

About

PatchPilots security agent as an MCP server. Catch supply chain attacks and security anti-patterns inside Claude Code, Cursor, and any MCP-compatible IDE.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages