URL: /developers/mcp

---
title: "MCP Server"
description: "Run squirrelscan as a local MCP server so agents like Claude Code and Cursor can audit websites directly"
---

The squirrelscan CLI ships a local [Model Context Protocol](https://modelcontextprotocol.io) (MCP) server. It speaks stdio JSON-RPC and exposes squirrelscan's audit engine and cloud features as tools your agent can call directly — no shell piping, no glue code.

```bash
squirrel mcp
```

The server runs in the foreground and communicates over stdin/stdout. You normally don't run it by hand — your agent launches it for you using the config below.

<Info>Local audit tools (`audit_website`, `quick_check`, `list_rules`, `get_rule`) are free and work offline with no login. Cloud tools (issues, reports, active audits) require `squirrel auth login` and return a clean error when you're signed out.</Info>

## Prerequisites

Install the CLI first (see [Installation](/quickstart)) and confirm it's on your `PATH`:

```bash
squirrel self version
```

## Connect Claude Code

Add the server with the Claude Code CLI:

```bash
claude mcp add squirrelscan -- squirrel mcp
```

Or add it to your project's `.mcp.json` (checked in, shared with your team):

```json
{
  "mcpServers": {
    "squirrelscan": {
      "command": "squirrel",
      "args": ["mcp"]
    }
  }
}
```

Restart Claude Code and the squirrelscan tools become available. Ask it to "audit example.com with squirrelscan" and it will call `audit_website`.

## Connect Cursor

Add squirrelscan to `.cursor/mcp.json` in your project (or `~/.cursor/mcp.json` for all projects):

```json
{
  "mcpServers": {
    "squirrelscan": {
      "command": "squirrel",
      "args": ["mcp"]
    }
  }
}
```

Open **Cursor Settings → MCP** to confirm the server is connected, then prompt the agent to audit a site.

## Other MCP clients

Any MCP-compatible client can launch the server. Configure a stdio server with:

- **Command:** `squirrel`
- **Args:** `["mcp"]`

## Tools

<Note>`list_issues` returns the supplant-aware, full-site issue state — superseded issues are excluded by default, so the agent always sees the current set.</Note>

| Tool | Auth | Description |
|------|------|-------------|
| `audit_website` | None* | Full deterministic audit of a URL; returns an LLM-optimized report. Accepts `coverage` (`quick`/`surface`/`full`), `maxPages`, and `offline`. |
| `quick_check` | None | Fast, local-only single-pass health check of one URL. |
| `list_rules` | None | List every built-in audit rule (id, name, category, severity). |
| `get_rule` | None | Full definition of one rule by id (e.g. `core/meta-title`). |
| `list_audits` | Login | Your org's currently running/pending audits. |
| `get_report` | Login | Fetch a published audit report by its audit id. |
| `list_issues` | Login | Open, supplant-aware issue state for a website. |
| `get_issue` | Login | A single audit issue by website + number. |
| `comment_on_issue` | Login | Post a comment on an audit issue. |

<Info>*`audit_website` runs locally for free. When you're logged in it automatically adds cloud enrichment (which spends credits per your plan). Pass `offline: true` to force a fully local run.</Info>

## Authentication

Cloud tools use the same credential as the rest of the CLI: a `squirrel auth login` session, or a `SQUIRREL_API_TOKEN` environment variable (see [Authentication](/developers/authentication)). When no credential is present, cloud tools return a clear "Not logged in" message instead of failing.

## Related

- [Using with Agents](/agents) — skills-based agent integration
- [Authentication](/developers/authentication) — login + API tokens
- [`squirrel mcp` command](/cli/mcp) — command reference