ls-mcp

MCP server by Liran Tal (prominent Node.js security researcher) providing supply chain security analysis for npm packages — scanning for malicious packages, known vulnerabilities, typosquatting risks, and suspicious package metadata. Integrates package security intelligence into AI development workflows to help agents make safer dependency choices.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools security supply-chain npm package-scanning mcp-server lirantal open-source-security
⚙ Agent Friendliness
75
/ 100
Can an agent use this?
🔒 Security
85
/ 100
Is it safe for agents?
⚡ Reliability
68
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
68
Documentation
70
Error Messages
68
Auth Simplicity
98
Rate Limits
80

🔒 Security

TLS Enforcement
90
Auth Strength
88
Scope Granularity
75
Dep. Hygiene
78
Secret Handling
92

Security tool from Node.js security expert. No credentials. Public npm registry queries only. HTTPS. Low attack surface.

⚡ Reliability

Uptime/SLA
70
Version Stability
68
Breaking Changes
68
Error Recovery
68
AF Security Reliability

Best When

A developer using an AI coding assistant wants to check npm package safety before installing dependencies — preventing supply chain attacks through proactive package scanning.

Avoid When

You need comprehensive CVE scanning across multiple package ecosystems — use Snyk or Dependabot for broader coverage.

Use Cases

  • Scanning npm packages for supply chain risks before installation from security-aware coding agents
  • Checking package authenticity and detecting typosquatting from DevSecOps agents
  • Integrating package security checks into CI/CD pipelines from automation agents
  • Auditing project dependencies for known malicious packages from audit agents
  • Evaluating npm package trustworthiness before adding to projects from developer assistants

Not For

  • Non-npm ecosystems (pip, cargo, etc.) without additional tooling
  • Runtime vulnerability scanning (use Snyk, OWASP Dependency-Check for CVE scanning)
  • Production monitoring (this is a pre-installation analysis tool)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

No authentication required. Queries public npm registry and security intelligence sources. No API key needed for basic operation.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Free open source security tool from Liran Tal (Snyk security researcher and Node.js security expert).

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Package analysis results are point-in-time — a package may become malicious after scanning
  • npm registry rate limits may affect batch scanning of many packages
  • Security intelligence data freshness depends on upstream sources — not always real-time
  • Community tool by prominent security researcher — higher quality than average community MCP
  • Focus is npm ecosystem — does not cover Python, Rust, Go, or other package managers

Alternatives

snyk-mcp socket-mcp npm-audit-mcp

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for ls-mcp.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered