Nixer MCP Server
Model Context Protocol

AI Security in Your IDE

The @nixer/mcp-server package wires Nixer into any MCP-capable AI client. Scan repos for prompt injection, secrets, and CI/CD misconfigs without leaving your editor.

Cursor Claude Code Windsurf Claude Desktop

Install in 30 seconds

Copy-paste config for your IDE. No install step required — npx fetches the package on first run.

Add to ~/Library/Application Support/Claude/claude_desktop_config.json

claude_desktop_config.json
{
  "mcpServers": {
    "nixer": {
      "command": "npx",
      "args": ["-y", "@nixer/mcp-server"],
      "env": {
        "NIXER_API_KEY": "your-api-key-here"
      }
    }
  }
}

Get your API key at nixer.polsia.app/try. Restart Claude Desktop after saving.

Add to .cursor/mcp.json in your project root:

.cursor/mcp.json
{
  "mcpServers": {
    "nixer": {
      "command": "npx",
      "args": ["-y", "@nixer/mcp-server"],
      "env": {
        "NIXER_API_KEY": "your-api-key-here"
      }
    }
  }
}

Or add to ~/.cursor/mcp.json for all projects. Reload Cursor after saving.

Add to ~/.codeium/windsurf/mcp_config.json:

mcp_config.json
{
  "mcpServers": {
    "nixer": {
      "command": "npx",
      "args": ["-y", "@nixer/mcp-server"],
      "env": {
        "NIXER_API_KEY": "your-api-key-here"
      }
    }
  }
}

Restart Windsurf after saving. Find your API key at nixer.polsia.app/try.

Run in your terminal:

Terminal
claude mcp add nixer -- npx -y @nixer/mcp-server

With an API key:

Terminal
NIXER_API_KEY=your-key claude mcp add nixer -- npx -y @nixer/mcp-server

Or add NIXER_API_KEY to your shell profile and run claude mcp add nixer -- npx -y @nixer/mcp-server.

Available tools

Three tools. Your AI assistant can call them directly — no prompting required once connected.

Tool What it does
nixer_scan_repo Scan a GitHub URL or agent config for vulnerabilities. Polls until complete, returns prioritized findings with remediation steps. Accepts severity_threshold to filter results.
nixer_list_rules List all 17 detection rules with severity and module. Filterable by severity or module name. Use before scanning to understand coverage.
nixer_explain_finding Get full description and remediation steps for a specific rule by ID or slug. E.g. nixer/cicd/pwn-request or just pwn-request.

First scan in 60 seconds

After installing, open Claude Desktop (or your IDE) and type:

Ask your AI assistant
Scan https://github.com/myorg/my-agent for security vulnerabilities

Nixer will start a scan, poll until complete (~30 seconds for most repos), and return structured findings. Here's a real example finding you might see:

Critical
pwn-request: pull_request_target + Attacker-Controlled Checkout
Workflow uses .github/workflows/ci.yml: pull_request_target trigger with checkout of PR head SHA. Any GitHub user can fork, open a PR, and execute attacker-controlled code with access to your repository secrets (OpenAI keys, AWS credentials, deployment tokens).
Fix: Replace pull_request_target with pull_request for build/test workflows, or remove the head SHA checkout. Never combine both — that's the pwn-request pattern.

Your AI assistant can then immediately help you fix the issue, understand the blast radius, and apply the remediation — all in-context.

More ways to use Nixer

Try in browser →
Free public scan playground. No signup, instant results.
Detection rules →
17 rules across 7 modules. Vulnerable code, real breaches, remediation.
GitHub Action →
Block PRs with security findings. SARIF output for GitHub Security tab.

Package

Zero dependencies. Uses only Node.js built-ins. Ships with a prebuilt dist/index.js — no build step required.