Oxvault Oxvault

Overview

What Oxvault is, how to install it, and a five-minute quickstart.

Oxvault secures the AI supply chain in two places: before you install code and while it runs.

  • Scanner (oxvault) — a static analysis CLI. It inspects MCP servers and ML model artifacts for vulnerabilities without running them, and reports findings to your terminal, or as JSON/SARIF for CI. Open source.
  • Gateway (oxvault-gw) — a runtime security proxy. It sits between your AI client (Claude, Cursor, Windsurf, …) and an MCP server, inspecting every JSON-RPC message in real time, blocking policy violations and credential access, and writing a tamper-evident audit log. Commercial component built on the scanner’s detection engine.

The two share one detection engine, so a rule that flags a poisoned tool description in a static scan also fires at runtime in the gateway.

What the scanner looks at

  • MCP servers — local directories, npm packages, GitHub repos, or every server declared in your MCP client config.
  • ML model artifacts — pickle (.pkl/.pt/.pth), ONNX, safetensors, model cards, and signature manifests. Pickle files are disassembled at the opcode level; they are never executed.

Install

Install the scanner with the one-line installer:

curl -fsSL https://oxvault.dev/install.sh | sh

Or download a prebuilt binary for your platform from the GitHub releases page and put it on your PATH.

If you have a Go toolchain, you can also build from source:

go install github.com/oxvault/scanner/cmd@latest   # installs the `oxvault` binary

Verify the install:

oxvault --version

The Gateway ships as a separate oxvault-gw binary and requires a license key.

Quickstart

1. Scan a local MCP server

Point the scanner at any directory or file:

oxvault scan ./my-mcp-server

The scanner resolves the target, runs source-code analysis and egress detection, connects to the server to inspect its tool descriptions, and prints grouped findings:

  ── Source Code Analysis ──────────────────────────────

  ⚠ HIGH     [medium] mcp-path-traversal-risk (CWE-22)
    server.js:19
    File operation with concatenated path (traversal risk): ...

  ── Credential Analysis ───────────────────────────────

  ✗ CRITICAL [medium] mcp-hardcoded-secret (CWE-798)
    server.js:22
    Hardcoded credential: const DB_PASSWORD = "super_secret_password_123";

  ── Summary ───────────────────────────────────────────

  2 CRITICAL · 2 HIGH · 0 WARNING · 1 INFO

  ✗ This server is NOT SAFE to install.

You can also scan a published package or a repo directly:

oxvault scan @company/mcp-server      # npm package (downloaded to a temp dir)
oxvault scan github:user/repo         # cloned and scanned

2. Scan a model from Hugging Face

Prefix a repo with hf: to download, cache, and scan a model:

oxvault scan hf:org/model

Add --hf-token (or set HF_TOKEN) for gated or private repos, and --hf-revision to pin a branch, tag, or commit. See the CLI reference for cache and size controls.

3. Read the output

By default findings print to your terminal. For automation, ask for machine-readable output:

oxvault scan ./my-mcp-server --format json    # array of findings on stdout
oxvault scan ./my-mcp-server --format sarif   # SARIF 2.1.0 for code scanning

The scanner exits non-zero when it finds an issue at or above the --fail-on severity (critical by default), which is what makes it useful as a CI gate:

oxvault scan ./my-mcp-server --format sarif --fail-on high

Where to next