hibp

hibp-mcp-server exposes four main tools to interact with Have I Been Pwned data via MCP. The check_email tool lets you query whether a given email address has appeared in any known breaches, returning breach counts and brief details when present. The check_password tool uses the k-anonymity approach to safely verify if a password has appeared in breaches without sending the full password, returning a breach hit count and guidance on remediation. The get_breach_details tool fetches comprehensive information about a specific breach (e.g., Adobe, LinkedIn), including date, domain, affected accounts, and data leaked. Lastly, list_all_breaches returns all recorded breaches in the system and can be filtered by domain to narrow results. To use these tools, ensure your MCP settings include the Hibp server configuration with your Have I Been Pwned API key set as HIBP_API_KEY. Once running, you can query the Hibp MCP server through your MCP-enabled assistant (e.g., Claude) by invoking the desired tool with the appropriate input (email, password, breach name, or domain).

Prerequisites:

• Node.js v14 or higher
• npm v6 or higher
• Have I Been Pwned API key (obtainable from haveibeenpwned.com/API/Key)

Installation steps:

1. Clone the repository git clone https://github.com/Cyreslab-AI/hibp-mcp-server.git cd hibp-mcp-server

2. Install dependencies npm install

3. Build the server npm run build

4. Prepare MCP settings (example integration):

• In Claude/Smithery setup, configure the Hibp MCP server with: command: node args: ["/path/to/hibp-mcp-server/build/index.js"] env: { "HIBP_API_KEY": "YOUR_API_KEY_HERE" }

5. Run the server locally (as a test, if you prefer): node build/index.js

6. Ensure your MCP settings reference the built index.js and provide the API key via environment variables.

Notes:

• The API key must be provided via the HIBP_API_KEY environment variable in your MCP configuration.
• Password checks use k-anonymity; only the first 5 characters of the SHA-1 hash are sent to the API, protecting full password data.
• The get_breach_details and list_all_breaches tools query Have I Been Pwned data and may require an active API key depending on the endpoint usage.
• If you encounter issues, verify that the build output path in your MCP settings matches the actual build/index.js location and that the API key is correctly set in the environment.
• Keep dependencies updated and monitor API key usage quotas from Have I Been Pwned.