MCP Server
v0.5.0Use WP HealthKit directly from Claude Desktop, Claude Code, Cursor, or Windsurf via the Model Context Protocol — audit plugins, access developer reference guides, and run pre-configured security review prompts without leaving your AI tool.
What is MCP?
The Model Context Protocol (MCP) is an open standard that lets AI assistants call external tools and access reference documents during a conversation. The WP HealthKit MCP server exposes your audit pipeline as callable tools, curated developer guides as readable resources, and security review workflows as pre-configured prompts — all accessible without leaving your AI editor.
Tools
9 tools for auditing plugins, fetching reports, and managing your usage.
| Tool | Description |
|---|---|
audit_plugin | Start an audit for a WordPress.org plugin slug. Optionally pass engines: ['performance'] for extended analysis. Returns an audit ID. |
audit_plugin_zip | Audit a plugin from a local ZIP file. Provide the absolute file path and optional engines array. Returns an audit ID to poll with get_report. |
audit_plugins_bulk | Audit all plugin ZIP files in a local directory. Submits in batches of 10, streams results as each completes, then prints a risk breakdown summary. |
get_report | Fetch the full report for a completed audit by ID — findings, scores, readiness assessments, and all engine results. |
get_findings | Fetch paginated findings for a completed audit, optionally filtered by severity or category. |
get_fix_prompt | Generate a batched fix prompt from audit findings, ready to paste into an AI coding assistant. |
check_plugin | Look up a plugin in the WP HealthKit directory to get its current risk rating and audit history. |
list_usage | Check current API usage, remaining audit quota, and plan limits. |
flag_finding | Flag a specific finding as a false positive. Confirmed patterns result in a scanner rule update — closing the feedback loop between developers and the scanner. |
Resources
Resources are reference documents your AI can read as context. Unlike tools (which perform actions), resources are pulled into the conversation to inform the AI's answers. Say “use the security bible to review this code” and the AI fetches the full guide automatically.
Five guides are bundled in the package and available offline. The top-findings resource is fetched live from the WP HealthKit database.
| Resource URI | Name | Description |
|---|---|---|
wphk://guides/security-bible | WordPress Plugin Security Bible | Comprehensive security reference covering REST API authorization, nonce verification, output escaping, SQL injection prevention, file uploads, capability checks, and more. Based on 10,000+ real plugin audits. |
wphk://guides/wporg-submission | WordPress.org Submission Checklist | Complete checklist for passing WordPress.org plugin review — every common rejection reason with code examples and correct implementations. |
wphk://guides/performance-bible | Plugin Performance Bible | N+1 query prevention, autoload bloat, transient caching, conditional asset loading, pagination, object cache compatibility, and cron patterns. |
wphk://guides/woocommerce-security | WooCommerce Security Guide | HPOS compatibility, REST API authorization for order/customer data, server-side amount verification, webhook signatures, and order status transition safety. |
wphk://guides/block-security | Gutenberg Block Security Guide | render_callback escaping, block.json attribute type safety, REST API authorization for block data, and CSS injection prevention in blocks. |
wphk://stats/top-findings | Top Findings This Month | Live data: the most common security and quality findings across recent plugin audits. Updated from the WP HealthKit database — gives AI tools current ecosystem context. |
Prompts
Prompts are pre-configured review workflows. Select them from your AI tool's prompt picker, provide the required arguments, and get a structured analysis without writing the prompt yourself.
| Prompt | Arguments | Description |
|---|---|---|
review_plugin_security | codecontext (optional) | Full security review against the WP HealthKit security bible. Pass plugin PHP code; get a detailed issue-by-issue analysis with correct implementations. |
preflight_wporg | code | Pre-submission review against WordPress.org plugin review criteria. Returns PASS/WARN/FAIL for every common rejection reason. |
review_block_security | code | Gutenberg block security review. Checks render_callback escaping, block.json attribute safety, and REST API authorization for block data. |
Setup
- 1Get an API key from Settings → API Keys (Pro plan or higher required).
- 2Add the server to your AI tool's MCP config file. For Claude Desktop:
~/Library/Application Support/Claude/claude_desktop_config.json. For Cursor:~/.cursor/mcp_servers.json. For Windsurf:~/.codeium/windsurf/mcp_config.json. - 3Add the WP HealthKit server entry and replace the placeholder key:
{
"mcpServers": {
"wphealthkit": {
"command": "npx",
"args": ["-y", "@wphealthkit/mcp-server@latest"],
"env": {
"WPHK_API_KEY": "your-key-here"
}
}
}
}For Claude Code, pass the key inline:
WPHK_API_KEY=whk_live_your_key claude --mcp-server npx @wphealthkit/mcp-server
Reload or restart your AI tool to activate the server.
Example Prompts
Once connected, try these in Claude, Cursor, or Windsurf:
- “Audit the contact-form-7 plugin and show me any critical security issues.”
- “Check the risk level of woocommerce in the WP HealthKit directory.”
- “Fetch the findings for audit abc123 grouped by severity.”
- “Generate a fix prompt for my latest audit so I can paste it into Claude.”
- “Audit every ZIP in ~/Downloads/plugins and give me a risk summary.”
- “Flag finding-5 on audit abc123 as a false positive — it's a standard WP API call.”
- “Use the security bible to review this plugin code for issues.”
- “Run a wp.org pre-flight check on my plugin before I submit it.”
- “What are the most common security findings this month across WordPress plugins?”
audit_plugins_bulk
Audits all plugin ZIP files in a local directory in one command. Plugins are submitted in batches of 10, results stream as each audit completes, and a final summary shows the risk breakdown with links to each report.
Parameters
| Parameter | Required | Description |
|---|---|---|
directory | Yes | Absolute path to the folder containing .zip files. |
engines | No | Extra engines to run, e.g. ["performance"]. |
pattern | No | File filter glob. Defaults to *.zip. |
Example output
Found 14 ZIPs. Submitting in 2 batches of 10/4. Batch 1/2 — submitting 10 plugins… ✓ my-ecommerce-plugin HIGH 231 findings (2m 14s) ✓ my-membership-plugin HIGH 148 findings (2m 31s) ... ─────────────────────────────────────── Bulk audit complete — 14 plugins in 12m ─────────────────────────────────────── HIGH 9 plugins MEDIUM 4 plugins LOW 1 plugin