Hibp
Check emails, passwords, and breach exposure via Have I Been Pwned from your agent before ship or during security review.
Overview
HIBP MCP is a Ship-phase MCP server for the security subphase that lets agents query the Have I Been Pwned API for breach and credential exposure data.
What is this MCP server?
- Official Have I Been Pwned API exposed as MCP tools for agents
- Requires HIBP_API_KEY and HIBP_SUBSCRIPTION_PLAN (Pwned 1–5 tiers)
- npm package @darrenjrobinson/hibp-mcp v1.0.3 over stdio
- Supports breach lookup workflows aligned with OWASP-style credential checks
- Secrets marked isSecret in server manifest for API key handling
- Package version 1.0.3
- npm @darrenjrobinson/hibp-mcp
- Required env: HIBP_API_KEY, HIBP_SUBSCRIPTION_PLAN
Community signal: 5 GitHub stars.
What problem does it solve?
You need fast, authoritative breach checks during release prep but copying HIBP workflows into one-off scripts wastes time and risks mishandling API keys.
Who is it for?
Solo builders doing pre-launch security review, incident triage, or auth-flow validation who already pay for a HIBP API plan.
Skip if: Builders who only need free public breach search without an API key, or teams wanting in-repo secret scanning without external breach APIs.
What do I get? / Deliverables
After setup, your agent can run HIBP-backed lookups through MCP tools using your subscribed API tier instead of manual dashboard checks.
- Agent-invokable HIBP API tools over MCP
- Documented subscription-tier env configuration
- Repeatable breach lookup workflow during security review
Recommended MCP Servers
Journey fit
Breach and credential exposure checks belong in the ship phase when you harden auth flows and validate user-data safety before release. Security subphase fits because HIBP tools support appsec review, incident response prep, and pre-launch credential hygiene—not feature coding.
How it compares
Live HIBP API MCP integration, not a static security checklist skill.
Common Questions / FAQ
Who is io.github.darrenjrobinson/hibp for?
It is for developers and small SaaS teams with a Have I Been Pwned API subscription who want Claude Code, Cursor, or Codex to run breach queries during security work.
When should I use io.github.darrenjrobinson/hibp?
Use it in the ship phase for security review, credential incident checks, and validating auth-related assumptions before you go live or after a reported leak.
How do I add io.github.darrenjrobinson/hibp to my agent?
Obtain an API key from haveibeenpwned.com/API/Key, set HIBP_API_KEY and HIBP_SUBSCRIPTION_PLAN, install @darrenjrobinson/hibp-mcp, and register the stdio MCP server in your agent config.