Scan from any AI. From any prompt.
Plug CheckVibe into Claude Desktop, Cursor, or any MCP-compatible client. Your agent calls the scanner, reads structured findings, and ships fixes — without leaving the chat.
Four steps. One pasted URL away.
- 01
Generate an API key
From your dashboard. Scoped to your projects, revocable any time.
- 02
Add CheckVibe to your MCP config
A single block in `claude_desktop_config.json`, `cursor.json`, or your client of choice.
- 03
Ask your agent to scan
Natural language. "Scan staging.myapp.com" — the agent picks the right tool and runs it.
- 04
Findings, inline
Structured results land back in the conversation. The agent can dismiss, re-run, or open project context next.
Built by people who shipped vibe-coded apps and broke them.
Works with the clients you already use
Claude Desktop, Cursor, Continue, Windsurf, Codex CLI. Anything that speaks MCP.
Every scanner, every project
All scanner endpoints exposed as MCP tools. Findings, dismissals, and project metadata are queryable.
Bring-your-own-key mode
Power users can run the MCP server locally against their own CheckVibe API key for full control.
Streaming-aware
Long scans stream progress so the agent stays responsive — no 90-second silent waits.
Three lines of config. Then you forget it exists.
{
"mcpServers": {
"checkvibe": {
"command": "npx",
"args": ["-y", "@checkvibe/mcp-server"],
"env": { "CHECKVIBE_API_KEY": "cvd_live_..." }
}
}
}Get your MCP key — free until you find something.
Get your MCP keyKeep exploring.
Paste any URL — production app, staging build, vibe-coded prototype.
One scan grades both halves of being found in 2026: classic search (SEO — 68 checks on indexability, metadata, structured data, content, and Core Web Vitals) and AI answer engines (AEO — 46 checks on whether ChatGPT, Claude, Perplexity, and Google AI can crawl, parse, and cite your site).
Every CheckVibe finding ships with a copy-paste prompt engineered for Claude, Cursor, and Windsurf — context, file paths, the exact diff.
Watch the traffic hitting your live app, classify suspicious patterns, and surface real threats — credential stuffing, scraping, prompt-injection probes — without flooding your inbox with noise.
Set a project up once.
Branded, executive-style PDFs and shareable dashboards for stakeholders, clients, and security reviewers — without writing a single sentence yourself.
Synthetic lab runs and real-user CrUX data, side by side for every vital.
Cookie consent, privacy policy, terms, and GDPR signals — audited on your live site, tracked over time, and explained in plain language.
Automated WCAG 2.
SPF, DKIM, and DMARC graded in one pass — plus continuous DMARC report monitoring and blocklist checks, so deliverability problems surface before your users stop hearing from you.
Domain expiry, DNS hygiene, nameserver health, and TLS certificates — monitored continuously, with alerts long before anything bites.