# Socket

> Score npm, PyPI, Go, and Maven dependencies for supply-chain and vulnerability risk before an agent installs them.

[Canonical HTML page](https://top-mcps.com/mcp/socket) · [server.json](https://top-mcps.com/mcp/socket.json) · [methodology](https://top-mcps.com/about/methodology)

## Install

### Claude Desktop — `claude_desktop_config.json`

Paste under mcpServers. Fully quit and reopen Claude after editing.

```json
{
  "mcpServers": {
    "socket": {
      "command": "npx",
      "args": [
        "-y",
        "@socketsecurity/mcp@latest"
      ]
    }
  }
}
```

### Claude Code — `CLI or .mcp.json`

Run from your repo. Commit .mcp.json to share with your team.

```shell
claude mcp add socket -- npx -y @socketsecurity/mcp@latest
```

### Cursor — `.cursor/mcp.json`

Global path: ~/.cursor/mcp.json. Reload window after editing.

```json
{
  "mcpServers": {
    "socket": {
      "command": "npx",
      "args": [
        "-y",
        "@socketsecurity/mcp@latest"
      ]
    }
  }
}
```

### VS Code — `.vscode/mcp.json`

VS Code uses the "servers" key (not "mcpServers").

```jsonc
{
  "servers": {
    "socket": {
      "command": "npx",
      "args": [
        "-y",
        "@socketsecurity/mcp@latest"
      ]
    }
  }
}
```

### Windsurf — `~/.codeium/windsurf/mcp_config.json`

Open via Cascade → hammer icon → Configure.

```json
{
  "mcpServers": {
    "socket": {
      "command": "npx",
      "args": [
        "-y",
        "@socketsecurity/mcp@latest"
      ]
    }
  }
}
```

### Cline — `cline_mcp_settings.json`

Open via the Cline sidebar → MCP Servers → Edit.

```json
{
  "mcpServers": {
    "socket": {
      "command": "npx",
      "args": [
        "-y",
        "@socketsecurity/mcp@latest"
      ]
    }
  }
}
```

### Continue — `~/.continue/config.json`

Continue uses modelContextProtocolServers with a transport block.

```json
{
  "experimental": {
    "modelContextProtocolServers": [
      {
        "transport": {
          "type": "stdio",
          "command": "npx",
          "args": [
            "-y",
            "@socketsecurity/mcp@latest"
          ]
        }
      }
    ]
  }
}
```

### Codex CLI — `~/.codex/config.toml`

Codex uses TOML. Each server is a [mcp_servers.<name>] subtable.

```shell
# ~/.codex/config.toml
[mcp_servers.socket]
command = "npx"
args = [
  "-y",
  "@socketsecurity/mcp@latest",
]
```

### Zed — `~/.config/zed/settings.json`

Zed calls them "context_servers". Settings live-reload on save.

```jsonc
{
  "context_servers": {
    "socket": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "@socketsecurity/mcp@latest"
        ]
      }
    }
  }
}
```

### ChatGPT — `ChatGPT → Settings → Connectors (remote URL)`

Paste this into Settings → Connectors → Add custom connector. Requires ChatGPT Pro / Team / Enterprise / Edu with Developer mode enabled. ChatGPT supports remote HTTPS MCP servers only — stdio servers must be hosted on a public HTTPS endpoint first.

```json
{
  "name": "Socket",
  "transport": "http",
  "url": "https://mcp.socket.dev"
}
```

## At a glance

- **Maintainer:** Socket
- **Transport:** stdio, Streamable HTTP
- **Auth model:** OAuth 2.1
- **Required secrets:** None
- **Supported clients:** Claude, Cursor, VS Code, Windsurf, Any MCP-compatible client
- **License:** MIT
- **Language:** TypeScript
- **Latest version:** latest
- **Last verified:** 2026-07-16
- **Score:** 64/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology)
- **Source:** https://github.com/SocketDev/socket-mcp

## Quick answer

**What it does.** Exposes Socket's package-scoring API as the depscore MCP tool, returning supply-chain, quality, maintenance, vulnerability, and license scores per package across nine ecosystems.

**Best for:**
- Vetting AI-suggested dependencies before install
- Auditing a package.json or requirements.txt
- Catching typosquats and malware
- Supply-chain + license scoring
- Multi-ecosystem risk checks (npm, PyPI, Go…)

**Not for:**
- SAST on first-party code (use Semgrep)
- Runtime application security
- Ecosystems Socket does not index

## Description

Socket's official MCP (MIT, actively maintained) exposes the depscore tool: give it packages across npm, PyPI, Go, Maven, Cargo, Gem, NuGet, Composer, or GitHub Actions and it returns supply-chain, quality, maintenance, vulnerability, and license scores (0–100). It is built for the AI-coding era — vet a dependency the moment an agent proposes adding it.

## Why it matters

AI assistants happily install a hallucinated or typosquatted package. Socket lets the agent score a dependency before it lands — the highest-leverage point to catch supply-chain risk.

## Key features

- depscore: 5 risk dimensions per package
- 9 ecosystems (npm, PyPI, Go, Maven, Cargo, Gem, NuGet, Composer, Actions)
- Hosted server at mcp.socket.dev with OAuth
- Self-host via npx with SOCKET_API_TOKEN
- Official Socket, MIT

## FAQ

### Hosted or self-hosted?

The hosted server at mcp.socket.dev uses OAuth — sign in with Socket on first connect, no key to manage. To self-host, run `npx -y @socketsecurity/mcp@latest` with a SOCKET_API_TOKEN.

### Which ecosystems does depscore cover?

npm, PyPI, Go modules, Maven, Cargo, Gem, NuGet, Composer, and GitHub Actions.

### Is it a replacement for the archived Snyk MCP?

For dependency supply-chain scoring, yes — Socket is a live, open-source alternative. For SAST, container, and IaC scanning, use Semgrep or Snyk's IDE integrations.

## Changelog

- **2026-07-16** — Refreshed install snippets and fact sheet; verified for 2026.
- **2025-06-01** — Initial directory listing.
