ContractScan MCP Server — multi-engine Solidity vulnerability scanner for LLM agents

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Josh.Kim from gravatar.com Josh.Kim

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: ContractScan
  • Tags solidity , smart-contract , security , vulnerability-scanner , mcp , model-context-protocol , slither , blockchain , ethereum , auditing
  • Requires: Python >=3.11
  • Provides-Extra: ai
Classifiers
Report project as malware

Project description

ContractScan MCP Server

Expose ContractScan's multi-engine Solidity vulnerability scanner as a Model Context Protocol (MCP) server. Once connected, any MCP-compatible AI tool (Claude Desktop, Cursor, Windsurf, Cline, …) can scan smart contracts directly from a conversation.

Why MCP?

Tool Engines
Slither-MCP Slither only
Aderyn-MCP Aderyn only
ContractScan MCP Slither + Semgrep + Mythril + AI cross-verification

Requirements

  • Python 3.11+
  • pip install contractscan-mcp
  • solc installed (solc-select install 0.8.20 && solc-select use 0.8.20)

Quick Start

Install

pip install contractscan-mcp

Test it works

contractscan-mcp --help

IDE Setup

Claude Desktop (macOS / Windows)

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "GOOGLE_API_KEY": "AIza..."
      }
    }
  }
}

Restart Claude Desktop. You should see ContractScan in the MCP tools list.

Cursor

Open Cursor Settings → MCP (or edit ~/.cursor/mcp.json):

{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "GOOGLE_API_KEY": "AIza..."
      }
    }
  }
}

Restart Cursor. ContractScan tools will appear in the Composer context.

Windsurf

Edit ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "GOOGLE_API_KEY": "AIza..."
      }
    }
  }
}

Restart Windsurf. ContractScan will be available in Cascade.

Cline (VS Code)

In VS Code, open Cline settings and add to MCP Servers:

{
  "contractscan": {
    "command": "contractscan-mcp",
    "env": {
      "ANTHROPIC_API_KEY": "sk-ant-..."
    }
  }
}

Claude Code (CLI)

Add to your project's CLAUDE.md:

## MCP Tools

This project uses ContractScan MCP for smart contract security scanning.

Install: `pip install contractscan-mcp`

Add to `~/.claude/settings.json`:
\`\`\`json
{
  "mcpServers": {
    "contractscan": {
      "command": "contractscan-mcp",
      "env": { "ANTHROPIC_API_KEY": "YOUR_KEY" }
    }
  }
}
\`\`\`

Or run directly from the Claude Code terminal:

# Scan a single file
echo '{"tool":"scan_file","args":{"file_path":"contracts/Token.sol"}}' \
  | contractscan-mcp

# Or use Claude Code with MCP enabled (add to settings.json first)

Available Tools

scan_contract

Scan Solidity source code passed as a string.

Parameter Type Default Description
solidity_code string required Full Solidity source
filename string "contract.sol" Filename shown in reports
generate_report bool true Generate AI narrative report
anthropic_api_key string env ANTHROPIC_API_KEY BYOK Anthropic key
openai_api_key string env OPENAI_API_KEY BYOK OpenAI key
tier string "free" "free" / "basic" / "pro"

scan_file

Scan a local .sol file or directory of Solidity files.

Parameter Type Default Description
file_path string required Absolute or relative path
generate_report bool true Generate AI narrative report
anthropic_api_key string env ANTHROPIC_API_KEY BYOK Anthropic key
openai_api_key string env OPENAI_API_KEY BYOK OpenAI key
tier string "free" "free" / "basic" / "pro"

get_engines

List all registered scan engines and their availability.

{
  "engines": [
    {"name": "slither",  "tier": "free",  "available": true},
    {"name": "mythril",  "tier": "basic", "available": true},
    {"name": "semgrep",  "tier": "basic", "available": true},
    {"name": "ai",       "tier": "free",  "available": true}
  ]
}

get_report

Retrieve the most recent scan result from the current session.

Analysis Tiers

Tier Engines included
free Slither + AI
basic Slither + Semgrep + Mythril + AI
pro All engines

API Keys

The server reads API keys from environment variables or from the tool call arguments (BYOK):

Variable Use
ANTHROPIC_API_KEY Claude-based AI report / detection
GOOGLE_API_KEY Gemini-based AI report / detection
OPENAI_API_KEY GPT-4o-based AI report / detection

At least one AI key is recommended for full reports. Static analysis (Slither / Semgrep / Mythril) works without any key.

Example Usage (in Claude Desktop)

Once connected, you can use ContractScan in natural language:

"Scan this contract for vulnerabilities" — paste your Solidity code

"Check /path/to/contracts/Token.sol for security issues" — scan a local file

"What engines are available?" — list configured engines

Impact on Existing Features

The MCP server runs as a separate process using stdio transport. It does not modify or affect the existing ContractScan web API or FastAPI application.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Josh.Kim from gravatar.com Josh.Kim

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: ContractScan
  • Tags solidity , smart-contract , security , vulnerability-scanner , mcp , model-context-protocol , slither , blockchain , ethereum , auditing
  • Requires: Python >=3.11
  • Provides-Extra: ai
Classifiers

Release history Release notifications | RSS feed

0.1.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

contractscan_mcp-0.1.0.tar.gz (4.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

contractscan_mcp-0.1.0-py3-none-any.whl (3.7 kB view details)

Uploaded Python 3

File details

Details for the file contractscan_mcp-0.1.0.tar.gz.

File metadata

  • Download URL: contractscan_mcp-0.1.0.tar.gz
  • Upload date:
  • Size: 4.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for contractscan_mcp-0.1.0.tar.gz
Algorithm Hash digest
SHA256 6cc780f77bbaa3620be12267880b66d303f371e873d8e7d08a2cf214f6502225
MD5 56d62b045b5269ddd05f755181195e81
BLAKE2b-256 db291320fa3648ad727b476ef832b4fc1e1b85659c8fc303650086026fe44089

See more details on using hashes here.

File details

Details for the file contractscan_mcp-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for contractscan_mcp-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3677f9c11032cd4115b559ad251b32116475543eec3d68ca0e8af7752d0d3323
MD5 e9cf96562e1df350e2a40819363069b0
BLAKE2b-256 d1085d892c785cdb6d70b0008232f13ca6ac080ee8f56189377e045be70e1070

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page