Shellockolm-AI-CLI -Scanner
Welcome to Shellockolm-ai-CLI-MCP-Scanner - 🎯 Your React app is probably vulnerable. Find out in 30 seconds 🚀
claude mcp add --transport stdio hlsitechio-shellockolm-ai-cli-mcp-scanner python src/cli.py scan . \ --env PYTHONWARNINGS="ignore" \ --env SHELLockolm_LOG_LEVEL="INFO"
How to use
Shellockolm is a 100% local security scanner that runs as an MCP server to audit React, Next.js and npm-based projects for CVEs, malware, and supply chain issues. The server exposes a CLI workflow via Python (src/cli.py) to perform comprehensive scans, including vulnerability detection, malware/secret scanning and auto-remediation workflows. Use it inside your AI-assisted tooling or CI pipelines to generate security reports and export JSON outputs for integration. Typical usage involves invoking the full security audit, or targeted scans for npm packages, React/Next.js components, and secrets patterns. The MCP setup enables you to call the scanner as part of automated agent workflows, returning structured results suitable for policy checks and remediation suggestions.
How to install
Prerequisites:
- Python 3.10+ installed on your system
- Git to clone the repository
- Optional: virtual environment tool (venv) for isolation
Installation steps:
- Clone the repository: git clone https://github.com/hlsitechio/Shellockolm-AI-CLI-MCP-Scanner.git cd Shellockolm-AI-CLI-MCP-Scanner
- (Optional) Create and activate a virtual environment: python -m venv venv source venv/bin/activate # on macOS/Linux venv\Scripts\activate # on Windows
- Install Python dependencies (if a requirements file exists): pip install -r requirements.txt # if provided by the project
- Run a test scan locally to confirm the setup: python src/cli.py scan .
- Start using the MCP integration by configuring the mcp_config (see above) and invoking the scanner via the MCP runner in your environment.
Additional notes
Tips and common issues:
- Ensure Python 3.10+ is used to avoid compatibility issues with dependencies.
- If you see network-related errors during installation, ensure network egress is allowed or use a local mirror.
- The scanner runs fully offline for vulnerability checks that have been pre-curated in the tool. For new CVEs, ensure the data pack is updated or re-run in an environment with internet access when updating databases.
- If you customize the working directory, pass the path to the project you want to scan as an argument to the CLI (e.g., python src/cli.py scan /path/to/project).
- The MCP config exposes environment variables for log verbosity or integration hooks; adjust as needed for your CI/CD or agent environment.
Related MCP Servers
mcp-for-security
MCP for Security: A collection of Model Context Protocol servers for popular security tools like SQLMap, FFUF, NMAP, Masscan and more. Integrate security testing and penetration testing into AI workflows.
pentesting-cyber
🔐 50+ MCP Security Servers for AI-Powered Pentesting | Integrate Nmap, Burp Suite, Nuclei, Shodan, BloodHound, Semgrep, Trivy | Model Context Protocol for Cybersecurity
shodan
Shodan MCP server for Claude, Cursor & VS Code. 20 tools for passive reconnaissance, CVE/CPE intelligence, DNS analysis, and device search. 4 tools work free without an API key. OSINT and vulnerability research from your IDE.
devtap
Bridge build/dev process output to AI coding sessions via MCP — supports Claude Code, Codex, OpenCode, Gemini CLI, and aider
mcptrust
Runtime security proxy for MCP: lockfile enforcement, drift detection, artifact pinning, Sigstore/Ed25519 signing, CEL policy, OpenTelemetry tracing. Works with Claude Desktop, LangChain, AutoGen, CrewAI.
mcpscc
Security Command Center for Model Context Protocol (MCP) servers. Detect prompt injection, tool poisoning, secrets, and vulnerabilities. The Trivy of MCP security.
