The @nixer/mcp-server package wires Nixer into any MCP-capable AI client.
Scan repos for prompt injection, secrets, and CI/CD misconfigs without leaving your editor.
Copy-paste config for your IDE. No install step required — npx fetches the package on first run.
Add to ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"nixer": {
"command": "npx",
"args": ["-y", "@nixer/mcp-server"],
"env": {
"NIXER_API_KEY": "your-api-key-here"
}
}
}
}
Get your API key at nixer.polsia.app/try. Restart Claude Desktop after saving.
Add to .cursor/mcp.json in your project root:
{
"mcpServers": {
"nixer": {
"command": "npx",
"args": ["-y", "@nixer/mcp-server"],
"env": {
"NIXER_API_KEY": "your-api-key-here"
}
}
}
}
Or add to ~/.cursor/mcp.json for all projects. Reload Cursor after saving.
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"nixer": {
"command": "npx",
"args": ["-y", "@nixer/mcp-server"],
"env": {
"NIXER_API_KEY": "your-api-key-here"
}
}
}
}
Restart Windsurf after saving. Find your API key at nixer.polsia.app/try.
Run in your terminal:
claude mcp add nixer -- npx -y @nixer/mcp-server
With an API key:
NIXER_API_KEY=your-key claude mcp add nixer -- npx -y @nixer/mcp-server
Or add NIXER_API_KEY to your shell profile and run claude mcp add nixer -- npx -y @nixer/mcp-server.
Three tools. Your AI assistant can call them directly — no prompting required once connected.
| Tool | What it does |
|---|---|
| nixer_scan_repo | Scan a GitHub URL or agent config for vulnerabilities. Polls until complete, returns prioritized findings with remediation steps. Accepts severity_threshold to filter results. |
| nixer_list_rules | List all 17 detection rules with severity and module. Filterable by severity or module name. Use before scanning to understand coverage. |
| nixer_explain_finding | Get full description and remediation steps for a specific rule by ID or slug. E.g. nixer/cicd/pwn-request or just pwn-request. |
After installing, open Claude Desktop (or your IDE) and type:
Scan https://github.com/myorg/my-agent for security vulnerabilities
Nixer will start a scan, poll until complete (~30 seconds for most repos), and return structured findings. Here's a real example finding you might see:
.github/workflows/ci.yml: pull_request_target trigger with checkout of PR head SHA. Any GitHub user can fork, open a PR, and execute attacker-controlled code with access to your repository secrets (OpenAI keys, AWS credentials, deployment tokens).pull_request_target with pull_request for build/test workflows, or remove the head SHA checkout. Never combine both — that's the pwn-request pattern.Your AI assistant can then immediately help you fix the issue, understand the blast radius, and apply the remediation — all in-context.
Zero dependencies. Uses only Node.js built-ins. Ships with a prebuilt dist/index.js — no build step required.