Overview
What is Hound MCP?
Hound MCP is a dependency security scanner built specifically for AI coding agents. It checks for vulnerabilities, licenses, typosquatting, and audits dependency trees across seven ecosystems (npm, PyPI, Go, Cargo, Maven, NuGet, RubyGems) using free, unauthenticated public APIs (deps.dev and OSV). It requires zero configuration, zero API keys, and zero cost.
How to use Hound MCP?
Install and configure Hound MCP as a stdio MCP server. For Claude Code, run claude mcp add hound -- npx -y hound-mcp. For Claude Desktop, Cursor, Windsurf, or VS Code (Copilot), add a JSON entry to the respective MCP config file pointing to npx -y hound-mcp. After setup, invoke its 12 tools (e.g., hound_audit, hound_preinstall) or its 3 built-in prompts (security_audit, package_evaluation, pre_release_check) directly from your AI client.
Key features of Hound MCP
- Scans lockfiles for vulnerabilities across all dependencies
- Provides 0–100 Hound Score with letter grade
- Side-by-side comparison of two packages with recommendation
- Pre-installation verdict: GO, CAUTION, or NO-GO
- Finds minimum safe version upgrade that resolves known vulns
- Detects typosquatting variants of a package name
- Supports npm, PyPI, Go, Maven, Cargo, NuGet, RubyGems
Use cases of Hound MCP
- Scanning a lockfile diff before merging a PR to catch new vulnerabilities
- Auditing an inherited codebase with
hound_auditfor a full report - Checking a package before adding it using
hound_preinstallfor a verdict - Running
hound_license_checkto ensure no GPL/AGPL packages in a commercial project - Using a security audit as part of every release check in CI
FAQ from Hound MCP
How does Hound MCP work without API keys or accounts?
It uses two fully free, unauthenticated public APIs: deps.dev (Google Open Source Insights) and OSV (Google Open Source Vulnerabilities).
What ecosystems does Hound MCP support?
npm, PyPI, Go, Cargo, Maven, NuGet, and RubyGems.
How do I install and configure Hound MCP?
Use npx -y hound-mcp as the command in your MCP config file, or for Claude Code run claude mcp add hound -- npx -y hound-mcp. Config file locations are provided for Claude Desktop, Cursor, and Windsurf.
Does Hound MCP require any dependencies or runtime?
It requires Node.js and runs via npx. No other dependencies, API keys, or accounts are needed.
What tools does Hound MCP offer?
12 tools including hound_audit, hound_score, hound_compare, hound_preinstall, hound_upgrade, hound_license_check, hound_vulns, hound_inspect, hound_tree, hound_typosquat, hound_advisories, and hound_popular.