OSV (Open Source Vulnerabilities)

live Developer

OSV.dev (Open Source Vulnerabilities) MCP.

3 tools

0ms auth

free tier 50 calls/day

Tools

query_package_vulns

Find all known vulnerabilities for an open-source package, optionally at a specific version, via the OSV.dev database. Omit version to get every vuln known for the package. Returns a compact summary a

No parameters required.

▶ Try it

Response

get_vulnerability

Get full detail for a single vulnerability by its OSV ID — e.g. "GHSA-jf85-cpcp-j695", "CVE-2021-23337", "PYSEC-2021-XXX". Returns summary, details, aliases, severity, affected packages/ranges, and re

No parameters required.

▶ Try it

Response

query_by_commit

Find vulnerabilities affecting a specific source-repository git commit via OSV.dev. Useful when you have a pinned commit hash rather than a released version. Returns the same compact vuln summary arra

No parameters required.

▶ Try it

Response

Test with curl

The gateway speaks JSON-RPC 2.0 over HTTP POST. You can test any pack directly from the terminal.

List available tools

bash

curl -X POST https://gateway.pipeworx.io/osv/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Call a tool

bash

curl -X POST https://gateway.pipeworx.io/osv/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"query_package_vulns","arguments":{}}}'

Use with the SDK

Install @pipeworx/sdk to call tools from any TypeScript/Node project.

TypeScript

import { Pipeworx } from '@pipeworx/sdk';
const px = new Pipeworx();
const result = await px.call("query_package_vulns", {});

ask_pipeworx

// Or ask in plain English:
const answer = await px.ask("osv");

MCP Config

claude_desktop_config.json

{
  "mcpServers": {
    "pipeworx-osv": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://gateway.pipeworx.io/osv/mcp"
      ]
    }
  }
}