Overview
What Oxvault is, how to install it, and a five-minute quickstart.
Oxvault secures the AI supply chain in two places: before you install code and while it runs.
- Scanner (
oxvault) — a static analysis CLI. It inspects MCP servers and ML model artifacts for vulnerabilities without running them, and reports findings to your terminal, or as JSON/SARIF for CI. Open source. - Gateway (
oxvault-gw) — a runtime security proxy. It sits between your AI client (Claude, Cursor, Windsurf, …) and an MCP server, inspecting every JSON-RPC message in real time, blocking policy violations and credential access, and writing a tamper-evident audit log. Commercial component built on the scanner’s detection engine.
The two share one detection engine, so a rule that flags a poisoned tool description in a static scan also fires at runtime in the gateway.
What the scanner looks at
- MCP servers — local directories, npm packages, GitHub repos, or every server declared in your MCP client config.
- ML model artifacts — pickle (
.pkl/.pt/.pth), ONNX, safetensors, model cards, and signature manifests. Pickle files are disassembled at the opcode level; they are never executed.
Install
Install the scanner with the one-line installer:
curl -fsSL https://oxvault.dev/install.sh | sh
Or download a prebuilt binary for your platform from the
GitHub releases page and put it on your PATH.
If you have a Go toolchain, you can also build from source:
go install github.com/oxvault/scanner/cmd@latest # installs the `oxvault` binary
Verify the install:
oxvault --version
The Gateway ships as a separate oxvault-gw binary and requires a license key.
Quickstart
1. Scan a local MCP server
Point the scanner at any directory or file:
oxvault scan ./my-mcp-server
The scanner resolves the target, runs source-code analysis and egress detection, connects to the server to inspect its tool descriptions, and prints grouped findings:
── Source Code Analysis ──────────────────────────────
⚠ HIGH [medium] mcp-path-traversal-risk (CWE-22)
server.js:19
File operation with concatenated path (traversal risk): ...
── Credential Analysis ───────────────────────────────
✗ CRITICAL [medium] mcp-hardcoded-secret (CWE-798)
server.js:22
Hardcoded credential: const DB_PASSWORD = "super_secret_password_123";
── Summary ───────────────────────────────────────────
2 CRITICAL · 2 HIGH · 0 WARNING · 1 INFO
✗ This server is NOT SAFE to install.
You can also scan a published package or a repo directly:
oxvault scan @company/mcp-server # npm package (downloaded to a temp dir)
oxvault scan github:user/repo # cloned and scanned
2. Scan a model from Hugging Face
Prefix a repo with hf: to download, cache, and scan a model:
oxvault scan hf:org/model
Add --hf-token (or set HF_TOKEN) for gated or private repos, and --hf-revision to pin a
branch, tag, or commit. See the CLI reference for cache
and size controls.
3. Read the output
By default findings print to your terminal. For automation, ask for machine-readable output:
oxvault scan ./my-mcp-server --format json # array of findings on stdout
oxvault scan ./my-mcp-server --format sarif # SARIF 2.1.0 for code scanning
The scanner exits non-zero when it finds an issue at or above the --fail-on severity
(critical by default), which is what makes it useful as a CI gate:
oxvault scan ./my-mcp-server --format sarif --fail-on high
Where to next
- Scanner CLI reference — every command and flag.
- Detection rules — what the scanner actually detects.
- Gateway — block attacks at runtime.
- Policy guide — write your own runtime rules.