什么是 Fetter MCP?
为 AI 编码代理提供实时 Python 包信息与漏洞数据,便于依赖检查和安全风险识别。
README
Fetter MCP
Fetter provides a remote Model Context Protocol (MCP) server at https://mcp.fetter.io/mcp that gives AI coding agents real-time access to Python package vulnerability data. Built on fetter, it queries PyPI and OSV to surface known CVEs, CVSS scores, and safe versions so your agent can make informed dependency decisions as it writes code.
Tools:
most_recent_not_vulnerable: find the latest release of a package that is free of known vulnerabilitiesis_vulnerable: check whether a specific pinned version has known CVEslookup: find available versions and their vulnerabilities for any package or specifier
Installation
The Fetter MCP server uses the HTTP transport and requires no local installation. Just register the remote URL with your MCP client.
Claude Code
claude mcp add --transport http fetter https://mcp.fetter.io/mcp
Codex
codex mcp add fetter --url https://mcp.fetter.io/mcp
Other MCP Clients
For any other MCP-compatible client, provide the following remote server URL using the HTTP transport:
https://mcp.fetter.io/mcp
Agent Usage
Once installed, the Fetter MCP tools are available to your AI agent during coding sessions. The agent can call them automatically when adding or auditing dependencies; no explicit tool invocation is required in your prompts.
Example prompts
- "Add the latest safe version of requests to requirements.txt"
- "Are there any known vulnerabilities in my current dependencies?"
- "What is the most recent version of pillow with no CVEs?"
- "Before pinning cryptography, check whether 42.0.5 is vulnerable"
The agent selects the appropriate tool based on context:
- Adding a new package:
most_recent_not_vulnerableto find a safe version - Validating a specific pinned version:
is_vulnerablefor a definitive answer - Auditing an existing specifier:
lookupto see affected versions
most_recent_not_vulnerable
Find the most recent version of a package that has no known vulnerabilities. Provide only a package name and the server will search recent releases for a safe version. Useful when pinning a dependency to the latest clean release.
Parameters
package_name— package name only (no version specifier), e.g."requests"
Example Request
{
"jsonrpc": "2.0",
"method": "tools/call",
"id": 2,
"params": {
"name": "most_recent_not_vulnerable",
"arguments": {
"name": "cryptography"
}
}
}
Example Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [],
"structuredContent": {
"package": "cryptography",
"version": "46.0.5",
"vulnerabilities": [],
"vulnerable": false
},
"isError": false
}
}
is_vulnerable
Check if a specific package version has known vulnerabilities. Requires an exact version specifier. Returns vulnerability IDs, summaries, CVSS scores, severity ratings, and reference URLs.
Parameters
dep_spec— exact version specifier, e.g."requests==2.31.0"
Example Request
{
"jsonrpc": "2.0",
"method": "tools/call",
"id": 2,
"params": {
"name": "is_vulnerable",
"arguments": {
"name": "requests==2.19.1"
}
}
}
Example Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [],
"structuredContent": {
"package": "requests",
"version": "2.19.1",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
},
{
"cvss_score": 5.6,
"id": "GHSA-9wx4-h78v-vm56",
"severity": "(Medium):",
"summary": "Requests Session object does not verify requests after making first request with verify=False",
"url": "https://osv.dev/vulnerability/GHSA-9wx4-h78v-vm56"
},
{
"cvss_score": 6.1,
"id": "GHSA-j8r2-6x86-q33q",
"severity": "(Medium):",
"summary": "Unintended leak of Proxy-Authorization header in requests",
"url": "https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q"
},
{
"cvss_score": 7.5,
"id": "GHSA-x84v-xcm2-53pg",
"severity": "(High):",
"summary": "Insufficiently Protected Credentials in Requests",
"url": "https://osv.dev/vulnerability/GHSA-x84v-xcm2-53pg"
},
{
"cvss_score": null,
"id": "PYSEC-2018-28",
"severity": null,
"summary": "",
"url": "https://osv.dev/vulnerability/PYSEC-2018-28"
},
{
"cvss_score": null,
"id": "PYSEC-2023-74",
"severity": null,
"summary": "",
"url": "https://osv.dev/vulnerability/PYSEC-2023-74"
}
],
"vulnerable": true
},
"isError": false
}
}
lookup
Look up a package by name and optional version specifier to find which versions are available and whether they have known vulnerabilities. Supports specifiers such as "requests", "numpy>=2.0", or "flask==3.0.0".
Parameters
dep_specs— package name or version specifiercvss_threshold— filter to vulnerabilities at or above this CVSS score (0–10)max_observed_score— return only the highest CVSS score per version rather than all individual vulnerabilitiescount— limit the number of recent versions checkedretain_passing— include versions with no known vulnerabilities in the results
Example Request
{
"jsonrpc": "2.0",
"method": "tools/call",
"id": 2,
"params": {
"name": "lookup",
"arguments": {
"name": "requests>=2.32.0",
"retain_passing": true
}
}
}
Example Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [],
"structuredContent": {
"package": "requests",
"versions": [
{
"version": "2.32.0",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.1",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.2",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.3",
"vulnerabilities": [
{
"cvss_score": 5.3,
"id": "GHSA-9hjg-9r4m-mvj7",
"severity": "(Medium):",
"summary": "Requests vulnerable to .netrc credentials leak via malicious URLs",
"url": "https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7"
}
],
"vulnerable": true
},
{
"version": "2.32.4",
"vulnerabilities": [],
"vulnerable": false
},
{
"version": "2.32.5",
"vulnerabilities": [],
"vulnerable": false
}
]
},
"isError": false
}
}
常见问题
Fetter MCP 是什么?
为 AI 编码代理提供实时 Python 包信息与漏洞数据,便于依赖检查和安全风险识别。
相关 Skills
网页构建器
by anthropics
面向复杂 claude.ai HTML artifact 开发,快速初始化 React + Tailwind CSS + shadcn/ui 项目并打包为单文件 HTML,适合需要状态管理、路由或多组件交互的页面。
✎ 在 claude.ai 里做复杂网页 Artifact 很省心,多组件、状态和路由都能顺手搭起来,React、Tailwind 与 shadcn/ui 组合效率高、成品也更精致。
前端设计
by anthropics
面向组件、页面、海报和 Web 应用开发,按鲜明视觉方向生成可直接落地的前端代码与高质感 UI,适合做 landing page、Dashboard 或美化现有界面,避开千篇一律的 AI 审美。
✎ 想把页面做得既能上线又有设计感,就用前端设计:组件到整站都能产出,难得的是能避开千篇一律的 AI 味。
网页应用测试
by anthropics
用 Playwright 为本地 Web 应用编写自动化测试,支持启动开发服务器、校验前端交互、排查 UI 异常、抓取截图与浏览器日志,适合调试动态页面和回归验证。
✎ 借助 Playwright 一站式验证本地 Web 应用前端功能,调 UI 时还能同步查看日志和截图,定位问题更快。
相关 MCP Server
GitHub
编辑精选by GitHub
GitHub 是 MCP 官方参考服务器,让 Claude 直接读写你的代码仓库和 Issues。
✎ 这个参考服务器解决了开发者想让 AI 安全访问 GitHub 数据的问题,适合需要自动化代码审查或 Issue 管理的团队。但注意它只是参考实现,生产环境得自己加固安全。
Context7 文档查询
编辑精选by Context7
Context7 是实时拉取最新文档和代码示例的智能助手,让你告别过时资料。
✎ 它能解决开发者查找文档时信息滞后的问题,特别适合快速上手新库或跟进更新。不过,依赖外部源可能导致偶尔的数据延迟,建议结合官方文档使用。
by tldraw
tldraw 是让 AI 助手直接在无限画布上绘图和协作的 MCP 服务器。
✎ 这解决了 AI 只能输出文本、无法视觉化协作的痛点——想象让 Claude 帮你画流程图或白板讨论。最适合需要快速原型设计或头脑风暴的开发者。不过,目前它只是个基础连接器,你得自己搭建画布应用才能发挥全部潜力。