Docs Apache-2.0 $0

Security for your AI agent,
in 10 seconds.

Zfuzz (@zfuzz/mcp) is the free, open-source security copilot for AI coding agents. Pick your tool, copy one line, done. No account, no API key, 100% local. Requires Node.js ≥ 18.

$ claude mcp add zfuzz -- npx -y @zfuzz/mcp COPY COPIED!

Install

One command, every agent.

Claude Code

Run it once in your terminal.

claude mcp add zfuzz -- npx -y @zfuzz/mcp

Codex

Add the MCP server to Codex.

codex mcp add zfuzz npx -y @zfuzz/mcp

Gemini CLI

Add the MCP server to Gemini CLI.

gemini mcp add zfuzz npx -y @zfuzz/mcp

VS Code (Copilot)

One line in your terminal.

code --add-mcp '{"name":"zfuzz","command":"npx","args":["-y","@zfuzz/mcp"]}'

Cursor

Add to .cursor/mcp.json

{ "mcpServers": { "zfuzz": { "command": "npx", "args": ["-y", "@zfuzz/mcp"] }}}

Claude Desktop

Settings → Developer → Edit Config

{ "mcpServers": { "zfuzz": { "command": "npx", "args": ["-y", "@zfuzz/mcp"] }}}

OpenCode

Add to opencode.json

{ "mcp": { "zfuzz": { "type": "local", "command": ["npx", "-y", "@zfuzz/mcp"] }}}

Browser tools (v0, Lovable, AI Studio)

Self-host the HTTP endpoint, then point your tool's MCP / Integrations setting at it.

npx -y @zfuzz/mcp --transport http --port 8099
http://localhost:8099/mcp

Remove anytime: claude mcp remove zfuzz (Claude Code), or delete the zfuzz entry from your client's MCP config.

Quickstart

Three steps. No dashboard.

1

Install it

Pick your agent above and run the one-liner. The first run pulls the per-platform scanner binary via @zfuzz/cli.

2

Ask naturally

You never call the tools by hand. Just ask your agent things like:

"Is this login endpoint safe?" · "Do my deps have known CVEs?" · "Threat-model my API" · "Is this MCP server safe to install?"
3

Read real findings

The agent calls a Zfuzz tool and returns findings from a real scanner — not a guess. Confirm it's wired up: in Claude Code, /mcp lists zfuzz and its 10 tools.

What Zfuzz scans

Real scanners, not generic knowledge.

Findings come from deterministic engines, not model guesses. The AI brain stays your editor's own model; Zfuzz adds the security muscle, right where you code. Built in Rust.

441
SAST rules across 7 languages
419+
secret-detection patterns
OSV.dev
real-time dependency CVEs
75+
MITRE ATT&CK techniques
754
security procedures
$0
8 compatible agents · local

Languages: Python, JS/TS, Go, Java, Rust, Ruby, PHP.

The 10 MCP tools

The agent picks the right tool when you ask — you never call them by hand.

ToolWhat it does
scan_codeSAST — 441 rules across 7 languages. Taint analysis tracks data from source to sink.
scan_secrets419+ patterns (AWS, GitHub, Stripe, OpenAI, Anthropic keys). Shannon-entropy analysis catches custom tokens.
scan_dependenciesCVEs via OSV.dev in real time — known CVEs, malicious packages and typosquats flagged before they reach your lockfile.
scan_mcp_configAudits every MCP server config: prompt injection in tool descriptions, unicode tricks, wildcard permissions, SSRF, tool poisoning. Returns a risk score + install verdict.
scan_skillVets an agent skill (SKILL.md + bundled scripts) before install — hidden instructions, over-broad triggers, dangerous scripts, leaked secrets.
reconcile_permissionsDeclared vs actually-used tools — least privilege, from runtime telemetry.
check_mitreMaps findings to 75+ MITRE ATT&CK techniques.
threat_modelSTRIDE + MITRE analysis across a whole project.
explain_finding15 vulnerability classes explained in plain English, with the fix.
search_security_procedures754 procedures: incident response, forensics, hardening.

Drop-in skill

Make your agent use Zfuzz on its own.

SKILL.md is a small instruction file. Drop it into your agent's skills folder and it will reach for the right Zfuzz tool automatically — scanning new code, checking dependencies, and vetting MCP servers before you install them, without being asked each time.

Download SKILL.md

FAQ

Common questions

Is Zfuzz free?

Yes. @zfuzz/mcp is fully free and open source under Apache-2.0 — no usage cap, no cloud account, no API key.

Does Zfuzz send my code anywhere?

No. The scanners run locally on your machine. The AI brain stays your own editor's model; Zfuzz only adds the security tools.

Which AI agents work with Zfuzz?

Claude Code, Cursor, VS Code (Copilot), Codex, Gemini CLI, Claude Desktop and OpenCode over stdio; browser tools like AI Studio, v0 and Lovable via a self-hosted HTTP endpoint.

What does Zfuzz need to run?

Node.js 18 or newer. The scanner binary is pulled per-platform via @zfuzz/cli — no Rust toolchain, no compiler.

How is Zfuzz different from Snyk or Semgrep?

Zfuzz runs inside your AI agent while you write code, returns findings conversationally in seconds, and is free. Traditional scanners run in CI minutes after a push, behind a dashboard, and charge per developer.

The tools don't show up — what now?

Restart the agent after adding it and confirm Node ≥ 18. For the HTTP transport, if you hit "address already in use", change --port (avoid 8090). Binary errors? npm i -g @zfuzz/cli.