{"id":"trailofbits-slither-mcp","name":"slither-mcp","homepage":null,"repo_url":"https://github.com/trailofbits/slither-mcp","category":"security","subcategories":[],"tags":["mcp","slither","solidity","static-analysis","ethereum","security","python"],"what_it_does":"Provides an MCP (Model Context Protocol) server that wraps Slither static analysis to analyze Solidity projects and expose contract/function metadata and Slither detector results via MCP tools. Includes caching of Slither project facts and an optional typed Python client for tool invocation.","use_cases":["Automated Solidity security analysis in an agent/tooling workflow via MCP","Querying contract/function metadata (inheritance, call graph relationships, sources)","Running Slither detectors and retrieving filtered vulnerability findings","Integrating Slither analysis into IDEs/agents (e.g., Claude Code, Cursor) through MCP"],"not_for":["Runtime/behavioral vulnerability detection (it is static analysis only)","Use cases requiring a public REST/HTTP service (it is an MCP/stdio style server per README)","Production security workflows that require formal guarantees of detector completeness or correctness"],"best_when":"You want to programmatically interrogate Solidity projects with Slither from an LLM/agent environment using MCP tools, and you can provide a local project path for analysis.","avoid_when":"You need strict authentication/authorization, multi-tenant hosting, or network-facing API access without local project access.","alternatives":["Using Slither directly as a CLI and parsing JSON/text outputs","Custom wrappers around Slither APIs (Python) without MCP","Other contract analysis APIs/tools (e.g., Mythril, Semgrep rules) integrated via your own agent bridge"],"af_score":62.5,"security_score":24.8,"reliability_score":30.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:50:08.482911+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["python"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":[],"oauth":false,"scopes":false,"notes":"The README does not describe any authentication mechanism. Tools accept a local `path` parameter and appear intended for local/agent-launched usage rather than remote multi-tenant access."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information is provided; repository appears open-source."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":62.5,"security_score":24.8,"reliability_score":30.0,"mcp_server_quality":78.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":"README indicates responses include `success` and either data fields or `error_message`, but does not document error codes or a concrete schema for errors.","auth_complexity":95.0,"rate_limit_clarity":5.0,"tls_enforcement":0.0,"auth_strength":10.0,"scope_granularity":0.0,"dependency_hygiene":55.0,"secret_handling":70.0,"security_notes":"No authentication is documented (likely intended for local use). Tool behavior operates on local filesystem paths, which reduces network attack surface but introduces local data handling considerations. README mentions opt-out metrics and that it does not collect tool parameters or project-specific identifiers/content, but enabling metrics may still expose usage metadata. Dependency hygiene is not verifiable from provided content; Sentry is included (may log errors/telemetry depending on configuration).","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":40.0,"error_recovery":35.0,"idempotency_support":"false","idempotency_notes":"The tools are primarily read-only queries over a local project; however, caching writes to `artifacts/project_facts.json` may make behavior slightly stateful across calls.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["All tools require a `path` parameter pointing to a Solidity project directory; incorrect paths will fail analysis.","First analysis may be expensive due to Slither runs; subsequent calls may be faster due to caching.","Detector results are described as cached; ensure filters match the cached dataset and expected detector names/levels.","Tool usage depends on MCP transport (e.g., stdio) as shown in README; some agent environments may require specific MCP client configuration."]}}