OSV-Scanner alternative
An OSV-Scanner alternative for Claude skills and MCP servers
OSV-Scanner is Google's free CLI for matching your lockfile against the OSV.dev advisory feed. It's the right tool for "are any of my dependencies vulnerable to a known CVE." It is not the right tool for "is this MCP server's tool-handler code safe to install" — that surface didn't exist when CVE-driven scanners were designed.
TL;DR
OSV-Scanner is fast, free, open-source, and excellent at the job it was designed for: running osv-scanner -r . in CI and getting a list of dependencies that match a published OSV advisory. That job and ours barely overlap. SkillAudit grades the tool-handler source code of an MCP server — SSRF in fetch(url), credential echo from environment variables, prompt-injection susceptibility, permission scope — none of which is a CVE. We scanned 101 of the most-installed MCP servers: 50% had SSRF, 38% had credential-handling findings, 19% earned an A. A clean OSV-Scanner result tells you nothing about any of that.
Why teams look for an OSV-Scanner alternative when adopting MCP
OSV-Scanner is built around a beautifully simple model: there is a public, curated database of advisories at osv.dev; your lockfile pins specific package versions; the scanner does the join and tells you which advisories match. It's polyglot (npm, PyPI, Go, Maven, RubyGems, Cargo, and more), runs offline-first, and is free for anyone — including indie authors who can't justify a Snyk subscription. It deserves the install.
What it isn't, and doesn't claim to be, is a SAST that reads your source code for novel bugs. There is no OSV-Scanner check that fires on a tool handler shaped like:
server.tool('fetch_url', async ({url}) => {
const res = await fetch(url); // SSRF: url is attacker-controlled
return await res.text();
});…because nothing in that snippet matches a CVE. The library is the MCP SDK; the SDK is current; the bug is the developer's. CVE-driven scanners systematically miss this. So do most SAST scanners, because the "vulnerable sink" pattern (untrusted URL flowing into fetch) is widespread in conventional code and would generate too many false positives if fired naively. SkillAudit's checks are tuned to MCP idioms specifically — template-string fetches, dynamic baseURL patterns, env-var leakage in handler return paths — so the precision is workable.
Three reasons MCP authors and team buyers look for an OSV-Scanner alternative:
- The dangerous surface in MCP is in tool handlers, not in dependencies. An OSV scan of an MCP repo will tell you the right things about your
expressoraxiosversions and stay quiet about thefetch(template_url)in your tool code. The Heroku official MCP server has 10 template-stringfetchcall sites in tool handlers — and reads as a clean repo to a CVE-driven scanner because the bug isn't a CVE; it's a write-it-yourself SSRF. - Buyers want a single buyer-readable grade for the install decision. OSV-Scanner outputs a finding list keyed by advisory ID. That's correct for its job and unhelpful for the install decision a team lead is making about an MCP server. SkillAudit's report cards condense to one A–F grade with per-axis pass/warn/fail.
- Prompt injection is a first-class threat for LLM tool use. OSV-Scanner doesn't model it — that's not what CVE-driven scanners do. SkillAudit runs an LLM-assisted prompt-injection probe against extracted tool handlers as a separate axis.
How SkillAudit is different
SkillAudit is a six-axis static + LLM-assisted scanner built specifically for Claude skills and MCP servers. The six axes — security, permissions hygiene, credential exposure, maintenance, client compatibility, documentation — were chosen by reading the actual source of vendor-official MCP releases that shipped vulnerabilities, not by deriving them from a CVE taxonomy. The output is a single A–F grade plus a public report card at a stable URL the author can embed as a badge on their README.
Where OSV-Scanner is a CVE lookup over your lockfile, SkillAudit is a source-code static analyzer plus an LLM red-team plus a maintenance/permissions/docs review — over any public GitHub repo, npm package, or uploaded ZIP. Different layer of the stack; complementary checks.
Side by side
| OSV-Scanner | SkillAudit | |
|---|---|---|
| Threat model focus | Known CVEs in declared dependencies (lockfile join with OSV.dev feed) | MCP tool-handler SSRF, prompt injection, credential echo, permission scope |
| What it reads | Lockfiles (package-lock.json, go.sum, poetry.lock, etc.) | Tool-handler source code, env-var usage, fetch/exec call sites, README + manifest |
| Catches a CVE in a transitive dependency? | Yes — primary use case | Only if the CVE happens to match a SkillAudit static pattern; not a primary axis |
Catches SSRF in fetch(url) tool handlers? | No — not in scope (no CVE for first-party code) | Yes — pattern-based static check tuned to MCP idioms |
| LLM-assisted prompt-injection probe | No | Yes — extracts tool handlers, red-teams them via Claude Haiku 4.5 |
| Credential-echo detection (env var → tool response) | No (different layer) | First-class axis; flags process.env.X in handler return paths |
| Single A–F buyer grade | No — finding list keyed by advisory ID | One letter grade + per-axis pass/warn/fail |
| Public per-repo report card URL | No (CLI tool; results stay in your CI) | Yes (e.g. /audits/owner-repo/) |
| Public embed badge for authors | No | Yes — skill-grade badge written for marketplace listings |
| Cost | Free, open source (Apache-2.0) | Free for 3 audits/month on public repos; $19/mo Pro; $99/mo Team |
| Where it runs | CLI, GitHub Action, anywhere a Go binary runs | SaaS web UI + GitHub Action + API |
| Polyglot reach | Wide: npm, PyPI, Go, Maven, RubyGems, Cargo, and more | Any GitHub repo + npm + ZIP; checks tuned to MCP/skill conventions |
| CI integration | Mature: official GitHub Action, container image, single binary | GitHub Action with min-grade gate (Pro) |
What the data says
We ran SkillAudit against 101 of the most-installed Claude skills and MCP servers — the full live board is public and growing. The corpus includes vendor-official releases (Stripe, PayPal, MongoDB, Redis, Cloudflare, AWS, Azure, GCP, Heroku, Notion, Snowflake, Pinecone, Couchbase, Auth0, Resend, Brave, Vectara, Meilisearch, plus the nine official Anthropic MCP language SDKs), popular indie frameworks (FastMCP, mcp-use, mcp-agent), and community releases.
Results: 50% (50/101) shipped SSRF findings, 38% (38/101) had credential-handling findings, 10% (10/101) had command-exec findings, and only 19% (19/101) earned an A grade. Full grade distribution: 19 A · 30 C · 10 D · 42 F. Methodology and per-repo grades are in our research post: The state of MCP server security, 2026.
The relevant point for the OSV-Scanner comparison: an MCP repo with a clean OSV scan can still be an F-grade install. The gap is shaped like the difference between "are my dependencies known-vulnerable" (CVE lookup) and "is the code I wrote safe under LLM-driven inputs" (source-code analysis + prompt-injection probing). Different questions, both worth answering.
When OSV-Scanner is still the right choice
OSV-Scanner is the right scanner for plenty of work — including for MCP authors. Specifically:
- You need a free, open-source, single-binary CVE scan in CI. OSV-Scanner is unbeaten on that profile. SkillAudit doesn't compete with it; we don't want to reinvent advisory-feed matching.
- You're polyglot beyond JavaScript/TypeScript. OSV-Scanner's coverage of Go, Python, Maven, Ruby, Rust, etc. is broad and current. SkillAudit's MCP-tuned checks are sharpest on Node/Python MCPs since that's where most of the corpus lives.
- You want offline-first or air-gapped scanning. OSV-Scanner can pre-download the database and run without network egress. SkillAudit is a SaaS-first product today.
- Your priority is dependency-CVE remediation in long-running services. That's exactly what OSV-Scanner is for. SkillAudit is for the question downstream of "are my deps clean."
The most useful framing: OSV-Scanner answers "are any of my dependencies vulnerable"; SkillAudit answers "is the code I wrote on top of those dependencies safe to expose to an LLM as tools." Both questions matter; the answers are independent.
Switching cost
SkillAudit isn't a replacement for OSV-Scanner — it's the second scanner you add when you ship MCP. Both can coexist in CI without conflict; their findings are disjoint. A typical adoption path:
- Keep OSV-Scanner in CI as a fast CVE gate. The Action takes seconds and costs nothing.
- Add the SkillAudit GitHub Action with a minimum-grade gate (e.g. fail PR if grade falls below B).
- Drop the SkillAudit badge into your MCP server's README so reviewers and team buyers can read your grade at a glance before installing.
Indie developers publishing skills to a public marketplace can use both at zero cost: OSV-Scanner is free indefinitely; SkillAudit's free tier covers your skill grade up to three audits a month.
Try SkillAudit on your repo — free
Paste any GitHub URL on the home page, get a graded report card in 60 seconds. Your repo joins the public board only if you opt in; private repos audit through a single-repo OAuth scope, never org-wide.