shieldapi-mcp 2.0.1 → 2.1.0

package/README.md

@@ -1,5 +1,11 @@
 # 🛡️ ShieldAPI MCP Server
 
+[![npm version](https://img.shields.io/npm/v/shieldapi-mcp.svg)](https://www.npmjs.com/package/shieldapi-mcp)
+[![npm downloads](https://img.shields.io/npm/dm/shieldapi-mcp.svg)](https://www.npmjs.com/package/shieldapi-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![x402](https://img.shields.io/badge/x402-enabled-green.svg)](https://x402.org)
+[![Listed on x402scan](https://img.shields.io/badge/x402scan-listed-brightgreen.svg)](https://www.x402scan.com/server/55c99a38-34b3-4b2c-8987-f58ebd88a7df)
+
 Security intelligence tools for AI agents — prompt injection detection, skill security scanning, URL/domain/IP/email/password checks. Pay-per-request with USDC micropayments via [x402](https://www.x402.org/), or use free demo mode.
 
 **Now with AI-native security:** Detect prompt injection in real-time and scan AI skills for supply chain attacks.

package/dist/index.js

@@ -118,15 +118,35 @@ function formatResult(data) {
 }
 // --- MCP Server ---
 const server = new McpServer({
-    name: 'ShieldAPI',
-    version: '2.0.0',
+    name: 'shieldapi-mcp',
+    title: 'ShieldAPI — Security Intelligence for AI Agents',
+    version: '2.1.0',
+    description: '9 security tools for AI agents: breach checks, domain/IP/URL reputation, prompt injection detection, skill supply chain scanning. Pay-per-request via x402 USDC micropayments. Demo mode available.',
+    websiteUrl: 'https://shield.vainplex.dev',
+    icons: [{ src: 'https://shield.vainplex.dev/icon.svg', mimeType: 'image/svg+xml' }],
 });
+// Annotations for read-only lookup tools
+const readOnlyAnnotations = {
+    title: '', // will be set per-tool
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: true,
+};
+const TOOL_TITLES = {
+    check_url: 'Check URL Safety',
+    check_password: 'Check Password Breach',
+    check_password_range: 'Password Range Lookup',
+    check_domain: 'Check Domain Reputation',
+    check_ip: 'Check IP Reputation',
+    check_email: 'Check Email Breach',
+};
 // Register standard GET tools from config
 for (const [name, def] of Object.entries(TOOLS)) {
-    server.tool(name, def.description, { [def.param]: z.string().describe(def.paramDesc) }, async (params) => formatResult(await callShieldApi(def.endpoint, params)));
+    server.tool(name, def.description, { [def.param]: z.string().describe(def.paramDesc) }, { ...readOnlyAnnotations, title: TOOL_TITLES[name] || name }, async (params) => formatResult(await callShieldApi(def.endpoint, params)));
 }
 // full_scan — single 'target' param mapped to the correct server param
-server.tool('full_scan', 'Run all security checks on a target (URL, domain, IP, or email). Most comprehensive scan.', { target: z.string().describe('Target to scan — URL, domain, IP address, or email') }, async ({ target }) => formatResult(await callShieldApi('full-scan', detectTargetType(target))));
+server.tool('full_scan', 'Run all security checks on a target (URL, domain, IP, or email). Most comprehensive scan.', { target: z.string().describe('Target to scan — URL, domain, IP address, or email') }, { title: 'Full Security Scan', readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true }, async ({ target }) => formatResult(await callShieldApi('full-scan', detectTargetType(target))));
 // ================================================================
 // Phase 2 Tools (POST endpoints)
 // ================================================================
@@ -137,7 +157,7 @@ server.tool('scan_skill', 'Scan an AI agent skill/plugin for security issues acr
         name: z.string().describe('Filename including extension'),
         content: z.string().describe('File content as string'),
     })).optional().describe('Additional code files to analyze (max 20 files)'),
-}, async (params) => {
+}, { title: 'Scan AI Skill/Plugin', readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: false }, async (params) => {
     const body = {};
     if (params.skill)
         body.skill = params.skill;
@@ -150,7 +170,7 @@ server.tool('check_prompt', 'Detect prompt injection in text. Analyzes across 4
     prompt: z.string().describe('The text to analyze for prompt injection'),
     context: z.enum(['user-input', 'skill-prompt', 'system-prompt']).optional()
         .describe('Context hint for sensitivity: user-input (default), skill-prompt (higher tolerance), system-prompt (highest sensitivity)'),
-}, async (params) => {
+}, { title: 'Detect Prompt Injection', readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: false }, async (params) => {
     const body = { prompt: params.prompt };
     if (params.context)
         body.context = params.context;

package/mcp-so-listing.md

@@ -0,0 +1,40 @@
+## Security intelligence for AI agents
+
+ShieldAPI provides 9 security tools via MCP — from password breach checks to prompt injection detection. All tools work in **free demo mode** out of the box. Paid mode uses x402 USDC micropayments on Base.
+
+### Tools
+
+| Tool | What it does | Price |
+|---|---|---|
+| `check_password` | SHA-1 hash against 900M+ breached passwords (HIBP) | $0.001 |
+| `check_password_range` | k-Anonymity password range lookup | $0.001 |
+| `check_email` | Email breach exposure via HIBP | $0.005 |
+| `check_domain` | DNS, SPF/DMARC, SSL, blacklist reputation | $0.003 |
+| `check_ip` | Blacklists, Tor exit detection, reverse DNS | $0.002 |
+| `check_url` | Phishing, malware, brand impersonation | $0.003 |
+| `full_scan` | All checks combined in one call | $0.010 |
+| **`check_prompt`** | Prompt injection detection — 200+ patterns, <100ms | $0.005 |
+| **`scan_skill`** | AI skill/plugin supply chain scanner — 8 risk categories | $0.020 |
+
+### Quick Start
+
+```bash
+npx shieldapi-mcp
+```
+
+All tools work immediately in demo mode — no wallet, no API key needed.
+
+### Highlights
+
+- **Prompt Injection Detection:** 200+ patterns including Base64, ROT13, Unicode homoglyphs, DAN/jailbreak, exfiltration attempts
+- **Skill Supply Chain Security:** Scans for malicious code, credential leaks, suspicious downloads — based on Snyk ToxicSkills taxonomy
+- **Real Breach Data:** 900M+ password hashes from Have I Been Pwned
+- **x402 Native:** First security MCP server with pay-per-request USDC micropayments
+- **No API Key:** Works out of the box in demo mode, add a wallet for paid mode
+
+### Links
+
+- [Live API](https://shield.vainplex.dev)
+- [x402scan Listing](https://www.x402scan.com/server/55c99a38-34b3-4b2c-8987-f58ebd88a7df)
+- [npm](https://www.npmjs.com/package/shieldapi-mcp)
+- [GitHub](https://github.com/alberthild/shieldapi-mcp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shieldapi-mcp",
-  "version": "2.0.1",
+  "version": "2.1.0",
   "description": "MCP server for ShieldAPI — URL scanning, breach detection, domain/IP reputation as AI agent tools. Pay-per-request with USDC micropayments via x402.",
   "main": "dist/index.js",
   "bin": {

package/src/index.ts

@@ -149,16 +149,39 @@ function formatResult(data: unknown): { content: Array<{ type: 'text'; text: str
 // --- MCP Server ---
 
 const server = new McpServer({
-  name: 'ShieldAPI',
-  version: '2.0.0',
+  name: 'shieldapi-mcp',
+  title: 'ShieldAPI — Security Intelligence for AI Agents',
+  version: '2.1.0',
+  description: '9 security tools for AI agents: breach checks, domain/IP/URL reputation, prompt injection detection, skill supply chain scanning. Pay-per-request via x402 USDC micropayments. Demo mode available.',
+  websiteUrl: 'https://shield.vainplex.dev',
+  icons: [{ src: 'https://shield.vainplex.dev/icon.svg', mimeType: 'image/svg+xml' }],
 });
 
+// Annotations for read-only lookup tools
+const readOnlyAnnotations = {
+  title: '',  // will be set per-tool
+  readOnlyHint: true,
+  destructiveHint: false,
+  idempotentHint: true,
+  openWorldHint: true,
+} as const;
+
+const TOOL_TITLES: Record<string, string> = {
+  check_url: 'Check URL Safety',
+  check_password: 'Check Password Breach',
+  check_password_range: 'Password Range Lookup',
+  check_domain: 'Check Domain Reputation',
+  check_ip: 'Check IP Reputation',
+  check_email: 'Check Email Breach',
+};
+
 // Register standard GET tools from config
 for (const [name, def] of Object.entries(TOOLS)) {
   server.tool(
     name,
     def.description,
     { [def.param]: z.string().describe(def.paramDesc) },
+    { ...readOnlyAnnotations, title: TOOL_TITLES[name] || name },
     async (params) => formatResult(await callShieldApi(def.endpoint, params as Record<string, string>))
   );
 }
@@ -168,6 +191,7 @@ server.tool(
   'full_scan',
   'Run all security checks on a target (URL, domain, IP, or email). Most comprehensive scan.',
   { target: z.string().describe('Target to scan — URL, domain, IP address, or email') },
+  { title: 'Full Security Scan', readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true },
   async ({ target }) => formatResult(await callShieldApi('full-scan', detectTargetType(target)))
 );
 
@@ -186,6 +210,7 @@ server.tool(
       content: z.string().describe('File content as string'),
     })).optional().describe('Additional code files to analyze (max 20 files)'),
   },
+  { title: 'Scan AI Skill/Plugin', readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: false },
   async (params) => {
     const body: Record<string, unknown> = {};
     if (params.skill) body.skill = params.skill;
@@ -203,6 +228,7 @@ server.tool(
     context: z.enum(['user-input', 'skill-prompt', 'system-prompt']).optional()
       .describe('Context hint for sensitivity: user-input (default), skill-prompt (higher tolerance), system-prompt (highest sensitivity)'),
   },
+  { title: 'Detect Prompt Injection', readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: false },
   async (params) => {
     const body: Record<string, unknown> = { prompt: params.prompt };
     if (params.context) body.context = params.context;