Audito
For AI agents

Built for the agent that writes the install command.

Audito is a Model Context Protocol server. Your coding agent calls it as a tool — checking packages, auditing lockfiles, and fixing CVEs without you ever leaving the chat.

Works with
  • Claude Code
  • Cursor
  • Claude Desktop
  • any MCP client
Three MCP tools

The whole loop, exposed as tools.

No SDK to wire up and no CI step required — just tools your agent already knows how to call.

check_package

Validate one package before adding it.

Typosquat, deprecation, known CVEs (OSV.dev), and license policy → allow / warn / block with a plain-English reason. The agent calls this before it writes the dependency.

audit_lockfile

Sweep an entire lockfile in one call.

Hand Audito a lockfile in any of 8 formats (npm, pnpm, yarn classic + berry, requirements.txt, poetry, Pipfile, Cargo, go.sum) and get back every finding at once.

suggest_actions

Get the exact fix per CVE.

The nearest safe upgrade: minimal bump, operator-preserving manifest edit, the per-ecosystem install command, and a breaking-change flag — everything the agent needs to apply the fix.

Setup

One line to connect.

Add Audito as a remote MCP server and authenticate with an audt_… API token. Cursor and Claude Desktop connect the same way over mcp-remote.

  1. Create an audt_…token in the dashboard under Settings → API tokens. It's shown once and stored hashed.
  2. Register the server with your agent — one command, below.
  3. Your agent now calls check_package, audit_lockfile, and suggest_actions on its own.
terminal
# add Audito to Claude Code
claude mcp add audito \
  --remote https://mcp.audito.dev \
  --header "Authorization: Bearer audt_…"

The same MCP endpoint works from Cursor and Claude Desktop via mcp-remote. Tokens scope to your workspace and can be revoked anytime.

In the chat

Propose → check → fix, in one conversation.

Audito turns the agent's blind install into a reviewed one — and hands it the fix when something's already wrong.

Caught before it lands

The agent reaches for a package; Audito blocks the typosquat and names a safe alternative.

Claude: I'll add colorss for ANSI colors.
AuditoBlocked

Likely typosquat of colors. Registered 6 days ago, 0 weekly downloads, no repo. Try chalk instead.

Fixed in place

For what's already installed, Audito returns the minimal, operator-preserving bump per finding.

Bumplodash
^4.17.20 → ^4.17.21
Bumpnext
15.2.1 → 16.2.4
Bumpaxios
^1.6.0 → ^1.7.4
Free MCP access

Give your agent a security check.

Create a token, add the server, and the next package your agent installs gets vetted first.