by vinkius-labs
MCP Fusion - The framework for AI-native MCP servers.
# Add to your Claude Code skills
git clone https://github.com/vinkius-labs/mcp-fusionLast scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@aws-sdk/xml-builder: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "esbuild: esbuild enables any website to send any requests to the development server and read the response",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-xml-parser: fast-xml-parser has stack overflow in XMLBuilder with preserveOrder",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vitepress: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "WARNING",
"scannedAt": "2026-05-30T15:38:52.501Z",
"npmAuditRan": true,
"pipAuditRan": true
}mcp-fusion is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by vinkius-labs. MCP Fusion - The framework for AI-native MCP servers. It has 204 GitHub stars.
mcp-fusion returned warnings in SkillsLLM's automated security scan. It has no critical vulnerabilities, but review the flagged issues in the Security Report section before adding it to your workflow.
Clone the repository with "git clone https://github.com/vinkius-labs/mcp-fusion" and add it to your Claude Code skills directory (see the Installation section above).
mcp-fusion is primarily written in TypeScript. It is open-source under vinkius-labs on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh mcp-fusion against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
The framework for AI-native MCP servers. Type-safe tools, Presenters for LLM perception, governance lockfiles, and zero boilerplate.
Documentation · Quick Start · API Reference
npx fusion create my-server
cd my-server && fusion dev
14 files scaffolded in 6ms — file-based routing, Presenters, Prompts, middleware, Cursor integration, and tests. Ready to go.
MCP Fusion separates three concerns that raw MCP servers mix into a single handler:
Model (Zod Schema) → View (Presenter) → Agent (LLM)
validates perceives acts
The handler returns raw data. The Presenter shapes what the agent sees. The middleware governs access. Works with any MCP client — Cursor, Claude Desktop, Claude Code, Windsurf, Cline, VS Code + GitHub Copilot.
f.query, f.mutation, f.action) with type-chaining. Full IDE autocomplete in .handle() — zero manual interfaces.isolated-vm). The LLM sends logic to your data instead of data to the LLM. Sealed execution — no process, require, fs, net.src/tools/, it becomes a tool. No central import file, no merge conflicts.mcp-fusion.lock), contract diffing, HMAC attestation, semantic probing, entitlement scanning, blast radius analysis.invalidates(), cached(), stale() — the agent knows whether its data is still valid.InferRouter<typeof registry>. Autocomplete for tool names, inputs, and responses.import { initFusion } from '@vinkius-core/mcp-fusion';
type AppContext = { db: PrismaClient; user: User };
const f = initFusion<AppContext>();
// Define a tool with one line
export default f.query('system.health')
.describe('Returns server operational status')
.returns(SystemPresenter)
.handle(async (_, ctx) => ({
status: 'healthy',
uptime: process.uptime(),
version: '1.0.0',
}));
// Presenter — the egress firewall
const SystemPresenter = createPresenter('System')
.schema({
status: t.enum('healthy', 'degraded', 'down'),
uptime: t.number.describe('Seconds since boot'),
version: t.string,
})
.rules(['Version follows semver. Compare with latest to suggest updates.']);
// Self-healing errors — the LLM can recover
return f.error('NOT_FOUND', `Project "${input.id}" not found`)
.suggest('Use projects.list to find valid IDs')
.actions('projects.list', 'projects.search');
Full guide: mcp-fusion.vinkius.com/building-tools
npx fusion inspect # Auto-discover and connect
npx fusion inspect --demo # Built-in simulator
┌──────────────────────────────────────────────────────────────┐
│ ● LIVE: PID 12345 │ RAM: [█████░░░] 28MB │ UP: 01:23 │
├───────────────────────┬──────────────────────────────────────┤
│ TOOL LIST │ X-RAY: billing.create_invoice │
│ ✓ billing.create │ LATE GUILLOTINE: │
│ ✓ billing.get │ DB Raw : 4.2KB │
│ ✗ users.delete │ Wire : 1.1KB │
│ ✓ system.health │ SAVINGS : ████████░░ 73.8% │
├───────────────────────┴──────────────────────────────────────┤
│ 19:32:01 ROUTE billing.create │ 19:32:01 EXEC ✓ 45ms│
└──────────────────────────────────────────────────────────────┘
Connects via Shadow Socket (Named Pipe / Unix Domain Socket) — no stdio interference, no port conflicts.
| Package | Target |
|---|---|
mcp-fusion-vercel |
Vercel Functions (Edge / Node.js) |
mcp-fusion-cloudflare |
Cloudflare Workers — zero polyfills |
| Package | Source |
|---|---|
mcp-fusion-openapi-gen |
Generate typed tools from OpenAPI 3.x specs |
mcp-fusion-prisma-gen |
Generate CRUD tools from Prisma schemas |
mcp-fusion-n8n |
Auto-discover n8n workflows as tools |
mcp-fusion-aws |
Auto-discover AWS Lambda & Step Functions |
mcp-fusion-oauth |
RFC 8628 Device Flow authentication |
mcp-fusion-jwt |
JWT verification — HS256/RS256/ES256 + JWKS |
mcp-fusion-api-key |
API key validation with timing-safe comparison |
mcp-fusion-testing |
In-memory pipeline testing |
mcp-fusion-inspector |
Real-time terminal dashboard |
Full guides, API reference, and cookbook recipes:
See CONTRIBUTING.md for development setup and PR guidelines.
See SECURITY.md for reporting vulnerabilities.