DepScope

Package Intelligence for AI Agents. Stops AI coding agents (Claude, ChatGPT, Cursor, Windsurf, Copilot, Cline) from installing hallucinated, deprecated, or malicious packages across 19 ecosystems.

→ Live at depscope.dev · 8.4M+ packages · 42K+ vulnerabilities (99% EPSS-enriched) · zero auth · free

---

Quick start (MCP)

Claude Desktop / Cursor / Windsurf — remote

{
  "mcpServers": {
    "depscope": {
      "url": "https://mcp.depscope.dev/mcp"
    }
  }
}

Claude Code / local — stdio

{
  "mcpServers": {
    "depscope": {
      "command": "npx",
      "args": ["-y", "depscope-mcp"]
    }
  }
}

The MCP server source is at cuttalo/depscope-mcp (AGPL-3.0).

---

What it does

22 MCP tools across 19 package ecosystems:

npm · pypi · cargo · go · composer · maven · nuget · rubygems · pub · hex · swift · cocoapods · cpan · hackage · cran · conda · homebrew · jsr · julia

Tool	Purpose
check_package	Full safety check: deprecation · vulnerabilities · health · recommendation
check_malicious	Malicious-package detector
check_typosquat	Typosquat detection vs popular names
package_exists	Hallucination detector (404 = LLM invented it)
get_health_score	0–100 health score with breakdown
get_vulnerabilities	Vulnerabilities + severity scoring
find_alternatives	Suggested alternatives for deprecated/abandoned packages
get_breaking_changes	Major-version migration notes
get_known_bugs	Known issues for a package
compare_packages	Side-by-side comparison
check_compatibility	Stack-level compatibility check
resolve_error	Error message → likely cause + fix
install_command	Verified install command for the target ecosystem
get_latest_version	Latest stable version + maturity signal
pin_safe	Suggested safe version pin
get_trust_signals	Multi-signal trust score
get_migration_path	Step-by-step upgrade plan
scan_project	Bulk scan of dependency manifests
check_bulk	Fast pre-flight filter for batches
get_trending	Trending packages by ecosystem
get_package_prompt	Compact LLM-friendly summary
contact_depscope	Report a missing package or false positive

---

REST API

Same data, plain HTTPS — no MCP client needed.

curl https://depscope.dev/api/check/npm/lodash
curl https://depscope.dev/api/check/pypi/requests
curl https://depscope.dev/api/check/cargo/serde

Full reference: depscope.dev/integrate

---

Why

LLMs frequently invent package names that look real but don't exist (fastapi-turbo, lodahs, tokio-stream-extras). When an agent tries to install one, it can hit an attacker's typosquat. DepScope verifies every package before install.

Read more: depscope.dev/why

---

Pricing

Free. No auth required. Generous rate limits.

If you need higher quotas, SLA, or on-prem deployment, contact us at [email protected].

---

Open source vs proprietary

This repository is a landing page with documentation only.

• MCP server (client SDK) — open source, AGPL-3.0: → cuttalo/depscope-mcp → npm: depscope-mcp

• Backend (API + intelligence layer) — proprietary, hosted at depscope.dev.

This split lets us keep the client free, auditable, and community-extensible while sustaining the infrastructure that powers it.

---

Links

• Homepage · depscope.dev
• API docs · depscope.dev/integrate
• MCP server source · cuttalo/depscope-mcp
• npm · depscope-mcp
• Glama listing · glama.ai/mcp/servers/cuttalo/depscope
• Awesome MCP · punkpeye/awesome-mcp-servers

---

License

This README and accompanying landing files: CC-BY-4.0. MCP client SDK: AGPL-3.0 (see cuttalo/depscope-mcp). Backend service: proprietary.

---

Built by Cuttalo srl · Italy 🇮🇹