npm audit alternative

An npm audit alternative for Claude skills and MCP servers

Every Node project ships with npm audit — type the command, get a count of dependencies that match an advisory in the npm registry feed. It's the cheapest possible CVE check and it has a place in CI. It is not the right tool for "is this MCP server's tool-handler code safe to install" — that's a question about source code you wrote yourself, not about CVEs in your dependency graph.

TL;DR

npm audit is free, built in, and fast at one job: matching the versions in your package-lock.json against npm's advisory database. SkillAudit answers a different question: it reads the tool-handler bodies in an MCP server and grades them for SSRF in fetch(url), credential echo from environment variables, prompt-injection susceptibility, permission scope, maintenance, and docs — output as one A–F grade. We scanned 101 of the most-installed MCP servers: 50% had SSRF, 38% had credential-handling findings, 19% earned an A. A clean npm audit on those repos tells you nothing about any of that.

Why teams look for an npm audit alternative when adopting MCP

npm audit's contract is simple: it looks at your lockfile, joins it against the npm advisory feed, and prints the result. The model assumes the dangerous code lives in a third-party library that someone else has already filed a CVE against. That assumption holds for a lot of conventional Node code — and it stops holding the moment you ship an MCP server, because the code an LLM is going to invoke as a tool is your code, written this quarter, with no CVE attached.

Three reasons MCP authors and team buyers look for an npm audit alternative:

The dangerous surface in MCP is in tool handlers, not in dependencies. A representative MCP server depends on @modelcontextprotocol/sdk and a thin HTTP client. npm audit finds nothing because there's nothing in the dependency graph. The bug is in tools/fetch_url.ts where the developer wrote const r = await fetch(req.url); return await r.text();. There is no advisory for first-party SSRF in code you wrote yesterday — that's not how the npm advisory feed works.
The npm advisory feed is npm-only. A Python MCP server, a Go MCP server, or a Rust MCP server is invisible to npm audit. SkillAudit reads source regardless of language; the static MCP idioms — fetch(url) tool handlers, subprocess.run(..., shell=True), process.env in handler return paths — are pattern-recognizable across languages.
npm audit produces noise, not a buyer signal. Anyone who has run npm audit on a real project knows the output: pages of "high" advisories that turn out to live in a build-time transitive that never reaches production. Worse, the same scan on a vendor-official MCP server can come back clean while the repo carries 10 SSRF-shaped fetch call sites in the tool surface. Buyers want one A–F grade keyed to install risk, not a triage list keyed to advisory IDs.

Concretely: this is the exact MCP idiom that npm audit doesn't fire on, because nothing in it is a CVE.

// MCP tool handler — clean npm audit, F grade in SkillAudit
import {Server} from '@modelcontextprotocol/sdk/server/index.js';

server.tool('fetch_url', async ({url}) => {
  const res = await fetch(url);  // SSRF: url is attacker-controlled
  return await res.text();       // also: response body is now untrusted content
});                              // the LLM will treat as instruction

server.tool('debug_env', async () => {
  return {env: process.env};      // credential echo: STRIPE_SECRET_KEY,
});                               // GITHUB_TOKEN, ANTHROPIC_API_KEY, all leak

The library is current; the SDK is current; npm audit is silent. Both findings are a hard fail in SkillAudit because that's exactly what the static checks are tuned for.

How SkillAudit is different

SkillAudit is a six-axis static + LLM-assisted scanner built specifically for Claude skills and MCP servers. The six axes — security, permissions hygiene, credential exposure, maintenance, client compatibility, documentation — were chosen by reading the actual source of vendor-official MCP releases that shipped vulnerabilities, not by deriving them from a CVE taxonomy. The output is a single A–F grade plus a public report card at a stable URL the author can embed as a badge on their README.

Where npm audit is a registry-feed lookup over your lockfile, SkillAudit is a source-code static analyzer plus an LLM red-team plus a maintenance/permissions/docs review — over any public GitHub repo, npm package, or uploaded ZIP. Different question; complementary checks.

Side by side

	npm audit	SkillAudit
Threat model focus	Known CVEs in declared npm dependencies	MCP tool-handler SSRF, prompt injection, credential echo, permission scope
What it reads	Lockfile (`package-lock.json` / `npm-shrinkwrap.json`)	Tool-handler source code, env-var usage, fetch/exec call sites, README + manifest
Catches a CVE in a transitive npm dependency?	Yes — primary use case	Only if the CVE pattern matches a SkillAudit static check; not a primary axis
Catches SSRF in `fetch(url)` tool handlers?	No — first-party code is out of scope (no CVE)	Yes — pattern-based static check tuned to MCP idioms
Catches `subprocess.run(shell=True, …)` in handlers?	No	Yes — command-exec axis
LLM-assisted prompt-injection probe	No	Yes — extracts tool handlers, red-teams them via Claude Haiku 4.5
Credential-echo detection (env var → tool response)	No (different layer)	First-class axis; flags `process.env.X` in handler return paths
Single A–F buyer grade	No — finding list keyed by advisory ID and severity	One letter grade + per-axis pass/warn/fail
Public per-repo report card URL	No (CLI tool; results stay in your CI logs)	Yes (e.g. `/audits/owner-repo/`)
Public embed badge for authors	No	Yes — skill-grade badge written for marketplace listings
Cost	Free, built into npm	Free for 3 audits/month on public repos; $19/mo Pro; $99/mo Team
Languages covered	Node only — npm advisory feed	Any GitHub repo: TS/JS, Python, Go, Ruby, Rust, etc.
CI integration	Built into `npm install` + GitHub native	GitHub Action with min-grade gate (Pro)

What the data says

We ran SkillAudit against 101 of the most-installed Claude skills and MCP servers — the full live board is public and growing. The corpus includes vendor-official releases (Stripe, PayPal, MongoDB, Redis, Cloudflare, AWS, Azure, GCP, Heroku, Notion, Snowflake, Pinecone, Couchbase, Auth0, Resend, Brave, Vectara, Meilisearch, plus the nine official Anthropic MCP language SDKs), popular indie frameworks (FastMCP, mcp-use, mcp-agent), and community releases.

Results: 50% (50/101) shipped SSRF findings, 38% (38/101) had credential-handling findings, 10% (10/101) had command-exec findings, and only 19% (19/101) earned an A grade. Full grade distribution: 19 A · 30 C · 10 D · 42 F. Methodology and per-repo grades are in our research post: The state of MCP server security, 2026.

The relevant point for the npm audit comparison: an MCP repo with a clean npm audit can still be an F-grade install. The Heroku official MCP server has 10 template-string fetch call sites in tool handlers — F grade in SkillAudit, silent in npm audit. The Sentry MCP has 10 more in packages/mcp-core/src/api-client/client.ts. Both are clean by the npm advisory feed and dangerous by the install decision.

When npm audit is still the right choice

npm audit is a useful tool for plenty of work — including for MCP authors. Specifically:

You need a free, zero-config CVE gate inside npm install. npm audit already runs there. SkillAudit doesn't compete with it; we don't want to reinvent npm advisory matching.
You're protecting against compromised dependencies. If a transitive dep ships a malicious version with a published advisory, npm audit --audit-level=high in CI catches it. That's exactly what it's for.
Your project is pure Node and your concern is npm-ecosystem hygiene. If the question is "are any of my deps vulnerable" and you're inside Node, npm audit is the cheapest correct answer. It's a one-liner and it's free.
You want a familiar tool that reviewers and contributors already understand. Every Node developer knows npm audit fix. That readability has real value in a CI failure context.

The most useful framing: npm audit answers "are any of my npm dependencies vulnerable to a known CVE"; SkillAudit answers "is the MCP tool code I wrote on top of those dependencies safe to expose to an LLM." Both questions matter; the answers are independent. A green npm audit doesn't imply a green SkillAudit, and vice versa.

Switching cost

SkillAudit isn't a replacement for npm audit — it's the second scanner you add when you ship MCP. Both can coexist in CI without conflict; their findings are disjoint. A typical adoption path:

Keep npm audit --audit-level=high in CI as a fast, free dependency-CVE gate. Zero overhead.
Add the SkillAudit GitHub Action with a minimum-grade gate (e.g. fail PR if grade falls below B). Reads the source, scores the tool surface.
Drop the SkillAudit badge into your MCP server's README so reviewers and team buyers can read your grade at a glance before installing.

Indie developers publishing skills to a public marketplace can use both at zero cost: npm audit is free indefinitely; SkillAudit's free tier covers your skill grade up to three audits a month.

Try SkillAudit on your repo — free

Paste any GitHub URL on the home page, get a graded report card in 60 seconds. Your repo joins the public board only if you opt in; private repos audit through a single-repo OAuth scope, never org-wide.

Audit my repo