Codesafer
Wire a security MCP into Claude Code or Cursor so every AI-generated diff gets checked for invisible Unicode, Trojan Source tricks, and supply-chain red flags before you merge or ship.
Overview
io.github.goldmembrane/codesafer is a Ship-phase MCP server that scans AI-generated code for invisible Unicode, Trojan Source obfuscation, and supply-chain threat signals.
What is this MCP server?
- Detects invisible Unicode and confusable characters that slip past visual diff review on AI-written code
- Flags Trojan Source patterns from bidirectional override and comment-direction attacks
- Surfaces supply-chain threat signals tailored to dependencies and snippets common in agent output
- Runs as an MCP stdio server via the npm package cleaner-code (registry v1.0.1)
- Pairs with agent workflows: register once, invoke scans from Claude Code, Cursor, Codex, or Windsurf without leaving the
- MCP server schema version aligned with 2025-12-11 server metadata
- Published server version 1.0.1 with npm registry identifier cleaner-code
- stdio transport via npm registryType packaging
What problem does it solve?
Agent-written code can hide malicious logic behind invisible characters and direction overrides, and rushed dependency choices can introduce supply-chain risk that normal lint passes never see.
Who is it for?
Solo builders using Claude Code or Cursor who want an MCP-callable security pass on AI output before every merge or release candidate.
Skip if: Teams that only need style linting, already run enterprise SAST plus SBOM on every PR, or do not use MCP-enabled agents in their workflow.
What do I get? / Deliverables
After you register the MCP server, your agent can run targeted scans so risky Unicode, Trojan Source, and supply-chain patterns surface before you merge or ship.
- MCP-invoked scan results highlighting invisible Unicode and confusable character issues
- Findings related to Trojan Source and bidirectional obfuscation in reviewed code
- Supply-chain-oriented threat signals on AI-suggested dependencies or install patterns
Recommended MCP Servers
Journey fit
Solo builders lean on agents for speed; the riskiest failures are subtle encoding and dependency attacks that show up right before release, so the canonical shelf is Ship with a security focus rather than pure build-time linting. Invisible Unicode homoglyphs, bidirectional Trojan Source, and poisoned packages are review-and-gate problems—you run this when you are hardening code for merge, deploy, or handoff, which maps directly to the security subphase under Ship.
How it compares
MCP security scanner focused on AI obfuscation and chain signals, not a general-purpose ESLint plugin or full-application pentest suite.
Common Questions / FAQ
Who is io.github.goldmembrane/codesafer for?
It is for solo and indie developers who ship with AI coding agents and want Model Context Protocol access to scans for invisible Unicode, Trojan Source, and supply-chain issues without bolting on a heavy enterprise scanner.
When should I use io.github.goldmembrane/codesafer?
Use it during Ship-phase review whenever an agent generates or edits code you plan to merge, especially after large refactors, new dependencies, or pasted snippets you did not write by hand.
How do I add io.github.goldmembrane/codesafer to my agent?
Install the cleaner-code npm package (v1.0.1), add an MCP stdio server entry pointing at that binary in Claude Code, Cursor, or another MCP client, restart the client, then invoke the server’s scan tools on files or buffers from your agent session.