BoostSecurity MCP Server¶

What is the BoostSecurity MCP Server?¶

The BoostSecurity MCP (Model-Context-Protocol) Server is a security safeguard designed for developers using agentic AI coding assistants (like Cursor, Claude Code, VS Code Copilot, etc.).

Agentic AI systems accelerate development but can also introduce serious supply chain risks by suggesting or adding third-party code packages without scrutiny. The BoostSecurity MCP server acts as an intelligent checkpoint to mitigate these risks.

It automatically analyzes every package an AI agent attempts to introduce into your project. It inspects the package for risks before it gets installed, flags unsafe dependencies, and can recommend secure, maintained alternatives. It also serves as a proactive security agent, informing you of existing security issues in your repository when queried.

Its primary function is exposed through the validate_package tool, which verifies whether a given package is safe to use.

🛡️ Why Use It? The Problem & The Solution¶

The Problem: Agentic AI and Supply Chain Risk¶

AI coding agents are powerful, but they don't inherently understand software supply chain security. Without safeguards, they can easily introduce packages that:

Contain Malware: Malicious code hidden within a seemingly useful package.
Have Known Vulnerabilities: Contain high or critical severity issues (CVEs) that attackers can exploit.
Are Typosquatted: Mimic legitimate libraries to trick users (e.g., reqeusts instead of requests).
Are End-of-Life (EOL): No longer maintained or supported, meaning security flaws will not be fixed.
Are "Hallucinations": Don't actually exist in the package registry.

The Solution: A Security Safeguard¶

The BoostSecurity MCP server integrates directly with your AI assistant to eliminate these risks at the source.

Key Benefits:¶

Block Unsafe Packages: Automatically prevents the introduction of malicious, vulnerable, or EOL dependencies.
Verify Package Health: Confirms that dependencies are legitimate, actively maintained, and supported.
Get Safer Alternatives: When a risk is detected, the server provides recommendations for secure alternatives or patched versions.
Reduce Supply Chain Risk: Strengthens your software supply chain by default.
Innovate Confidently: Allows your team to fully leverage the speed of agentic AI without compromising on security.
Simple & Free: No account creation is required to use the server.

How to Use It: Installation & Configuration¶

Using the server involves two steps:

Installation: Connecting your MCP-compatible client (your AI assistant/editor) to the BoostSecurity server endpoint.
Usage: Prompting your AI agent to use the validation tool (or letting it do so automatically).

Supported Languages and Ecosystems¶

Python: PyPI
Go: Go Modules
JavaScript/TypeScript: npm
Java: Maven
C#: NuGet

Requirements¶

An MCP-compliant client, such as:

Cursor
Claude Code
Windsurf
VS Code (with MCP extension)

Client-Specific Setup Guides¶

Follow the instructions for your specific editor or AI assistant.

Cursor¶

Go to: Settings -> Cursor Settings -> MCP -> Add new global MCP server

Add the following remote server connection configuration:

{
   "mcpServers": {
    "boost-security": {
      "url": "https://mcp.boostsecurity.io/mcp",
        "transport": "http"
    }
  }
}

Once configured, verify under Cursor Settings -> MCP & Integrations that the BoostSecurity MCP tool is enabled for validate_package.

Claude Code¶

Run the following command in your terminal:

claude mcp add --scope user --transport http boost-security https://mcp.boostsecurity.io/mcp

To confirm, type /mcp within the Claude Code interface. The BoostSecurity MCP should appear as enabled.

Windsurf¶

Navigate to Windsurf Settings -> Cascade MCP Servers.

Add the BoostSecurity MCP server configuration:

{
  "mcpServers": {
    "boost-security": {
        "serverUrl": "https://mcp.boostsecurity.io/mcp"
    }
  }
}

Alternatively, add this configuration to your Windsurf MCP config file (e.g., ~/.codeium/windsurf/mcp_config.json).
Relaunch Windsurf.
Go to Windsurf Settings -> Manage MCPs to confirm the connection is enabled and shows the validate_package tool.

VS Code¶

Navigate to View -> Command Palette
Run the command MCP: Open User Configuration.

Add the BoostSecurity MCP server configuration to the JSON file:

{
   "servers": {
    "boost-security": {
      "type": "http",
        "url": "https://mcp.boostsecurity.io/mcp"
    }
  }
}

You may need to relaunch VS Code.
Once added, select Start on the MCP configuration in the MCP panel to change its state to Running.

Other MCP Clients¶

The BoostSecurity MCP server can be used by any MCP-compliant client that supports:

Transport type: http
Remote server URL: https://mcp.boostsecurity.io/mcp

Refer to your client’s documentation for instructions on configuring remote MCP servers.

Best Practices for Optimal Security¶

The MCP server provides strong instructions to the AI agent, encouraging it to validate packages. However, for the most consistent results, you should also explicitly instruct your AI agent to use the tool.

Add a rule or instruction to your AI agent's system prompt or configuration.

Example Instruction:

Always use the BoostSecurity MCP tool `validate_package` to ensure a package is safe before adding it to a project.
Use the package versions recommended by BoostSecurity.

By doing this, you ensure the agent makes security validation a non-negotiable step in its workflow.

Example Workflow¶

Developer: "Please add the requests package to handle API calls."
AI Agent (to MCP): "I intend to add requests version 2.25.0. Please validate_package(name='requests', version='2.25.0')."
BoostSecurity MCP (to AI): "Validation failed: Version 2.25.0 has a known vulnerability. A safe alternative is available. Use requests version 2.31.0 or newer."
AI Agent (to Developer): "I've added the requests package. I used version 2.31.0 as recommended by the security scanner to avoid a known vulnerability in earlier versions."