ContractScan MCP Server — multi-engine Solidity vulnerability scanner for LLM agents

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Josh.Kim from gravatar.com Josh.Kim

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: ContractScan
  • Tags solidity , smart-contract , security , vulnerability-scanner , mcp , model-context-protocol , slither , blockchain , ethereum , auditing
  • Requires: Python >=3.11
  • Provides-Extra: slither , semgrep , ai
Classifiers
Report project as malware

Project description

ContractScan MCP Server

Expose ContractScan's multi-engine Solidity vulnerability scanner as a Model Context Protocol (MCP) server. Once connected, any MCP-compatible AI tool (Claude Desktop, Cursor, Windsurf, Cline, …) can scan smart contracts directly from a conversation.

Why MCP?

Tool Engines
Slither-MCP Slither only
Aderyn-MCP Aderyn only
ContractScan MCP Slither + Semgrep + Mythril + AI cross-verification

Requirements

  • Python 3.11+
  • pip install contractscan-mcp
  • solc installed (solc-select install 0.8.20 && solc-select use 0.8.20)

Quick Start

Install

pip install contractscan-mcp

Test it works

contractscan-mcp --help

IDE Setup

Claude Desktop (macOS / Windows)

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "GOOGLE_API_KEY": "AIza..."
      }
    }
  }
}

Restart Claude Desktop. You should see ContractScan in the MCP tools list.

Cursor

Open Cursor Settings → MCP (or edit ~/.cursor/mcp.json):

{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "GOOGLE_API_KEY": "AIza..."
      }
    }
  }
}

Restart Cursor. ContractScan tools will appear in the Composer context.

Windsurf

Edit ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "GOOGLE_API_KEY": "AIza..."
      }
    }
  }
}

Restart Windsurf. ContractScan will be available in Cascade.

Cline (VS Code)

In VS Code, open Cline settings and add to MCP Servers:

{
  "contractscan": {
    "command": "contractscan-mcp",
    "env": {
      "ANTHROPIC_API_KEY": "sk-ant-..."
    }
  }
}

Claude Code (CLI)

Add to your project's CLAUDE.md:

## MCP Tools

This project uses ContractScan MCP for smart contract security scanning.

Install: `pip install contractscan-mcp`

Add to `~/.claude/settings.json`:
\`\`\`json
{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": { "ANTHROPIC_API_KEY": "YOUR_KEY" }
    }
  }
}
\`\`\`

Or run directly from the Claude Code terminal:

# Scan a single file
echo '{"tool":"scan_file","args":{"file_path":"contracts/Token.sol"}}' \
  | contractscan-mcp

# Or use Claude Code with MCP enabled (add to settings.json first)

Available Tools

scan_contract

Scan Solidity source code passed as a string.

Parameter Type Default Description
solidity_code string required Full Solidity source
filename string "contract.sol" Filename shown in reports
generate_report bool true Generate AI narrative report
anthropic_api_key string env ANTHROPIC_API_KEY BYOK Anthropic key
openai_api_key string env OPENAI_API_KEY BYOK OpenAI key
tier string "free" "free" / "basic" / "pro"

scan_file

Scan a local .sol file or directory of Solidity files.

Parameter Type Default Description
file_path string required Absolute or relative path
generate_report bool true Generate AI narrative report
anthropic_api_key string env ANTHROPIC_API_KEY BYOK Anthropic key
openai_api_key string env OPENAI_API_KEY BYOK OpenAI key
tier string "free" "free" / "basic" / "pro"

get_engines

List all registered scan engines and their availability.

{
  "engines": [
    {"name": "slither",  "tier": "free",  "available": true},
    {"name": "mythril",  "tier": "basic", "available": true},
    {"name": "semgrep",  "tier": "basic", "available": true},
    {"name": "ai",       "tier": "free",  "available": true}
  ]
}

get_report

Retrieve the most recent scan result from the current session.

Analysis Tiers

Tier Engines included
free Slither + AI
basic Slither + Semgrep + Mythril + AI
pro All engines

API Keys

The server reads API keys from environment variables or from the tool call arguments (BYOK):

Variable Use
ANTHROPIC_API_KEY Claude-based AI report / detection
GOOGLE_API_KEY Gemini-based AI report / detection
OPENAI_API_KEY GPT-4o-based AI report / detection

At least one AI key is recommended for full reports. Static analysis (Slither / Semgrep / Mythril) works without any key.

Example Usage (in Claude Desktop)

Once connected, you can use ContractScan in natural language:

"Scan this contract for vulnerabilities" — paste your Solidity code

"Check /path/to/contracts/Token.sol for security issues" — scan a local file

"What engines are available?" — list configured engines

Impact on Existing Features

The MCP server runs as a separate process using stdio transport. It does not modify or affect the existing ContractScan web API or FastAPI application.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Josh.Kim from gravatar.com Josh.Kim

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: ContractScan
  • Tags solidity , smart-contract , security , vulnerability-scanner , mcp , model-context-protocol , slither , blockchain , ethereum , auditing
  • Requires: Python >=3.11
  • Provides-Extra: slither , semgrep , ai
Classifiers

Release history Release notifications | RSS feed

This version

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

contractscan_mcp-0.1.1.tar.gz (4.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

contractscan_mcp-0.1.1-py3-none-any.whl (3.8 kB view details)

Uploaded Python 3

File details

Details for the file contractscan_mcp-0.1.1.tar.gz.

File metadata

  • Download URL: contractscan_mcp-0.1.1.tar.gz
  • Upload date:
  • Size: 4.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for contractscan_mcp-0.1.1.tar.gz
Algorithm Hash digest
SHA256 22bfb97275270b88fafbe47d735330ba393d8735a1af119930258fb82ae5c706
MD5 f8e4cfade4bf9cf31235ee611b5ef677
BLAKE2b-256 9370f00e130f0ce80e83734aab671a002e3371b2a4a1ce12ef958c073954bb46

See more details on using hashes here.

File details

Details for the file contractscan_mcp-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for contractscan_mcp-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7eff62cf66dd67f309c77edcae091aee3566d7b72b8adce10bc10065910408bc
MD5 ca621c3c5b14dea6ac8e6e5c98e5b72c
BLAKE2b-256 117bbe14befe729dd1793f6c352c8573d590f7122291ea5d14cdf13a67dc48eb

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page