Tech Ecosystem Analysis MCP

Tech ecosystem analysis for AI agents and LLM workflows — maps technology relationships, tracks adoption curves, detects CVE vulnerabilities, and scores tech stack risk across 6 live data sources. Connect once via the Model Context Protocol and your AI assistant can evaluate any framework, language, or tool with structured, data-driven intelligence.

This MCP server runs on the Apify platform in Standby mode and exposes 8 tools that orchestrate GitHub, NVD CVE database, StackExchange, Hacker News, Wikipedia, and a live Tech Stack Detector in parallel. Each tool returns structured JSON with per-technology scores, trend classifications, and actionable recommendations — ready to drop into any agent workflow.

⬇️ What data can you access?

MCP tools

Why use Tech Ecosystem Analysis MCP?

Engineering teams, security analysts, and CTOs make multi-year technology bets with incomplete information. Manual research across GitHub, StackOverflow, CVE databases, and Hacker News takes hours per framework and goes stale immediately. Consulting analysts charge thousands for reports that are already weeks out of date.

This MCP automates the entire research pipeline. Your AI agent can invoke a single tool call and get live adoption data, CVE exposure, developer sentiment, and maturity classification — all in one structured response. The data is fetched at query time from the source databases, not a cached snapshot.

Platform benefits when running on Apify:

• Scheduling — run weekly ecosystem checks to track how your tech stack's risk profile changes over time
• API access — trigger assessments from CI/CD pipelines, Slack bots, or any HTTP client
• Parallel execution — up to 6 actor calls run simultaneously per tool invocation, reducing latency
• Spending limits — set a per-run budget cap; the server returns a graceful error when the limit is reached
• Integrations — connect results to Zapier, Make, webhooks, or push directly to Notion or Confluence

Data sources

GitHub Search

Queries repository metadata including star counts, fork counts, primary language, creation date, last update date, and repository topics. The actor collects up to 30 results per query and filters them per technology by matching against language, name, and description fields. Star totals drive adoption scoring (50% weight) and community support scoring.

NVD CVE Database

Fetches live vulnerability records from the National Vulnerability Database. Each CVE includes its ID, CVSS base score, severity level (LOW/MEDIUM/HIGH/CRITICAL), affected products list, description, and published date. The vulnerability exposure formula weights critical CVEs at 3x, high CVEs at 2x, and others at 1x — capped at 100. Risk level thresholds: CRITICAL at CVSS >= 9.0 or any critical CVE present; HIGH at CVSS >= 7.0; MEDIUM at CVSS >= 4.0.

StackExchange

Retrieves Q&A threads with question titles, tags, community score, answered/unanswered status, and creation date. Answer rates contribute to both adoption scoring (20% weight) and sentiment scoring (50% weight). The 30-day question window measures current momentum versus historical activity.

Hacker News

Pulls discussion threads matched to each technology. Engagement signals — upvote points and comment counts — feed the sentiment formula: HN engagement accounts for 50% of sentiment score (points: 40%, comments: 10%). The top 5 posts by points are returned per technology.

Wikipedia

Extracts article text and parses it for release year patterns (released in YYYY, first appeared YYYY, created YYYY). This estimated age drives the maturity model (20% weight in composite maturity score) and provides ecosystem context for the network graph.

Tech Stack Detector

Scans live websites via the ryanclinton/website-tech-stack-detector actor. Returns detected technologies with names, categories, confidence scores, and detected versions. Used in map_tech_ecosystem, detect_tech_vulnerabilities, and generate_tech_report when URLs are provided. Detected technologies are automatically added to the CVE scan.

How the scoring algorithms work

Adoption Score (0–100)

GitHub star contribution (50% weight): min(totalStars / 50,000, 1) × 50. StackOverflow contribution (50% weight): question volume min(count / 100, 1) × 30 plus answer rate × 20. Growth rate is measured as the fraction of SO questions created in the last 30 days — above 30% classifies as rising, below 5% as declining.

Vulnerability Exposure Score (0–100)

Weighted severity sum: (criticalCVEs × 3 + highCVEs × 2 + otherCVEs × 1) × 10, capped at 100. Risk level classification: CRITICAL when avg CVSS >= 9 or any critical CVE present; HIGH when avg CVSS >= 7; MEDIUM when avg CVSS >= 4; LOW when CVEs exist but avg is below 4.

Developer Sentiment Score (0–100)

HN component (50%): min(avgPoints / 100, 1) × 40 + min(avgComments / 50, 1) × 10. SO component (50%): min(avgScore / 10, 1) × 30 + (1 - unansweredRatio) × 20. Overall classification: positive >= 60, negative < 30, neutral in between.

Tech Stack Risk Score (0–100)

Three-factor weighted combination: CVE exposure score × 0.40 + (100 − community support score) × 0.35 + (100 − maturity score) × 0.25. Community support: GitHub stars (40%), SO coverage (30%), repos updated in last 90 days (30%). Risk thresholds: critical >= 75, high >= 50, medium >= 25, low below 25.

Maturity Score (0–100) and S-Curve Classification

Six indicators: technology age min(ageYears / 15, 1) × 20 + community size min(totalStars / 100,000, 1) × 20 + documentation quality × 0.20 + enterprise adoption (repos > 1K stars) × 0.15 + ecosystem breadth (unique topics) × 0.15 + stability index × 0.10. Classification: mature when score >= 70 and age >= 8 years; growing when score >= 45 or age >= 3 with community > 10K; declining when score < 25, age > 10, and < 2 recent updates; emerging otherwise.

Ecosystem Network (Degree Centrality)

Builds a directed graph with node types: technology, repo, discussion, vulnerability, article, website. Edge types: implements (repo → technology, weighted by normalized star count), describes (article → technology, weight 0.5), uses (website → technology, weighted by detection confidence). Degree centrality = node degree / (N − 1). Graph density = 2E / (N × (N − 1)).

Use cases for tech ecosystem analysis

Engineering team technology selection

CTOs and engineering leads evaluating a new framework need more than a blog post. Feed your candidate stack into score_tech_stack_risk to get a CVE-weighted, community-adjusted risk score before committing engineering resources. Compare React vs Vue vs Svelte on a single tool call.

Security team CVE mapping

Security engineers running quarterly vulnerability reviews can provide a list of production technologies (or their web application URLs for auto-detection) to detect_tech_vulnerabilities. The tool returns a ranked CVE list with CVSS scores and exposure weights, ready to feed into remediation prioritization workflows.

VC and M&A technology due diligence

Investment analysts assessing a company's technical moat or liability need to understand whether the target's stack is on a growth curve or approaching end of community support. generate_tech_report produces a full analysis — adoption trends, maturity stages, CVE exposure, and sentiment — in a single AI agent call.

Developer relations and content strategy

DevRel teams deciding where to invest conference talks, tutorials, and community sponsorship can use track_framework_trends to identify which frameworks are in the growing phase with high momentum scores. This replaces expensive survey research with live data.

Framework migration planning

Teams building a business case for migrating from an aging framework need data on whether the candidate is truly mature or still volatile. assess_tech_maturity produces a 6-factor maturity model with enterprise adoption proxy, ecosystem breadth, and stability index — structured evidence for migration decisions.

AI agent continuous monitoring

Engineering organizations using AI coding assistants can wire this MCP into a scheduled Apify run. Weekly calls to score_tech_stack_risk across the production stack automatically surface new CVEs or community health drops before they become incidents.

How to connect this MCP server

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "tech-ecosystem-analysis": {
      "url": "https://tech-ecosystem-analysis-mcp.apify.actor/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_APIFY_TOKEN"
      }
    }
  }
}

Cursor / Windsurf / Cline

Add the same URL and Authorization header in your MCP client settings. The server uses the Streamable HTTP transport — no SSE configuration required.

HTTP directly

curl -X POST "https://tech-ecosystem-analysis-mcp.apify.actor/mcp" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/call",
    "params": {
      "name": "assess_tech_adoption",
      "arguments": {
        "technologies": ["TypeScript", "Rust", "Go"]
      }
    },
    "id": 1
  }'

Python (via openai-agents or any MCP client)

import httpx

response = httpx.post(
    "https://tech-ecosystem-analysis-mcp.apify.actor/mcp",
    headers={
        "Content-Type": "application/json",
        "Authorization": "Bearer YOUR_APIFY_TOKEN",
    },
    json={
        "jsonrpc": "2.0",
        "method": "tools/call",
        "params": {
            "name": "score_tech_stack_risk",
            "arguments": {
                "technologies": ["Django", "Flask", "FastAPI"]
            }
        },
        "id": 1,
    }
)

result = response.json()
for tech in result["result"]["content"]:
    print(tech["text"])

Input parameters

The MCP server has no other actor-level inputs. All configuration is passed per tool call as tool arguments.

Tool arguments reference

map_tech_ecosystem

assess_tech_adoption

detect_tech_vulnerabilities

analyze_developer_sentiment

score_tech_stack_risk

track_framework_trends

assess_tech_maturity

generate_tech_report

⬆️ Output examples

assess_tech_adoption — sample output

[
  {
    "technology": "TypeScript",
    "githubMetrics": {
      "totalRepos": 18,
      "totalStars": 98421,
      "avgStars": 5468,
      "topRepos": [
        { "name": "microsoft/TypeScript", "stars": 98421, "url": "https://github.com/microsoft/TypeScript" },
        { "name": "type-challenges/type-challenges", "stars": 43102, "url": "https://github.com/type-challenges/type-challenges" }
      ]
    },
    "stackOverflowMetrics": {
      "totalQuestions": 84,
      "avgScore": 4.2,
      "answerRate": 0.94,
      "recentActivity": 31
    },
    "adoptionScore": 79,
    "trend": "rising",
    "growthRate": 0.37
  }
]

score_tech_stack_risk — sample output

[
  {
    "technology": "Log4j",
    "cveExposure": {
      "score": 89,
      "totalCves": 7,
      "criticalCves": 2,
      "highCves": 3
    },
    "communitySupport": {
      "score": 42,
      "githubStars": 3210,
      "soQuestions": 14,
      "recentActivity": 1
    },
    "maturityFactor": {
      "score": 58,
      "ageYears": 18,
      "releaseFrequency": "infrequent"
    },
    "overallRisk": 76,
    "riskLevel": "critical",
    "recommendation": "Log4j has critical risk. Immediate review: 7 CVEs (2 critical) with limited community support."
  }
]

generate_tech_report — sample output (abbreviated)

{
  "title": "Technology Ecosystem Report: React, TypeScript, PostgreSQL",
  "generatedAt": "2026-03-21T09:14:02.341Z",
  "technologies": ["React", "TypeScript", "PostgreSQL"],
  "summary": "Analyzed 3 technologies. Ecosystem contains 47 nodes and 83 relationships. Graph density: 0.076. Top technologies: TypeScript, React, PostgreSQL. Overall risk assessment: LOW — stack is healthy.",
  "sections": {
    "adoption": [
      { "technology": "React", "adoptionScore": 88, "trend": "stable" },
      { "technology": "TypeScript", "adoptionScore": 79, "trend": "rising" },
      { "technology": "PostgreSQL", "adoptionScore": 71, "trend": "stable" }
    ],
    "vulnerabilities": [
      { "technology": "React", "riskLevel": "low", "totalCves": 2, "avgCvss": 4.3, "exposureScore": 20 },
      { "technology": "TypeScript", "riskLevel": "none", "totalCves": 0, "avgCvss": 0, "exposureScore": 0 },
      { "technology": "PostgreSQL", "riskLevel": "medium", "totalCves": 6, "avgCvss": 6.1, "exposureScore": 40 }
    ],
    "maturity": [
      { "technology": "React", "maturityLevel": "mature", "maturityScore": 87 },
      { "technology": "TypeScript", "maturityLevel": "growing", "maturityScore": 61 },
      { "technology": "PostgreSQL", "maturityLevel": "mature", "maturityScore": 91 }
    ]
  },
  "recommendations": [
    "Technology stack appears healthy. Continue regular security audits and dependency updates."
  ],
  "riskSummary": {
    "overallRisk": "LOW — stack is healthy",
    "criticalFindings": [],
    "positiveIndicators": [
      "React: positive developer sentiment (score: 74/100)",
      "TypeScript: strong growth momentum (82/100)"
    ]
  }
}

Output fields

assess_tech_adoption

detect_tech_vulnerabilities

score_tech_stack_risk

assess_tech_maturity

track_framework_trends

How much does it cost to run tech ecosystem analysis?

This MCP uses pay-per-event pricing — every tool call costs $0.045. All 8 tools are priced identically. Platform compute is included.

Apify's free plan includes $5 of monthly credits — enough for 110 individual tool calls or 13 full 8-tool ecosystem reports with no subscription required. You can set a maximum spending limit per run to control costs.

Compare this to manual research or analyst reports: a single technology due diligence report from a consultancy typically costs $2,000–5,000 and takes 2–3 weeks. With this MCP, your AI agent produces the same structured data in seconds for $0.045.

How Tech Ecosystem Analysis MCP works

Step 1: Tool invocation and charge

When an MCP client calls a tool, the server charges the Actor.charge() event immediately. If a spending limit has been set and is reached, the tool returns a structured error JSON rather than proceeding — preventing surprise overspend.

Step 2: Parallel actor execution

runActorsParallel() launches all required data source actors simultaneously via the Apify client. Each actor runs with 256 MB memory and a 180-second timeout. Results are collected via dataset.listItems({ limit: 500 }). Failed actors return empty arrays — the scoring functions handle missing data gracefully without throwing.

Data sources per tool:

• map_tech_ecosystem: GitHub (20 results) + Wikipedia (5 results) + Tech Stack Detector per URL
• assess_tech_adoption: GitHub (30) + StackExchange (30)
• detect_tech_vulnerabilities: NVD CVE (30) + Tech Stack Detector per URL
• analyze_developer_sentiment: Hacker News (30) + StackExchange (30)
• score_tech_stack_risk: NVD CVE (30) + GitHub (20) + StackExchange (20) + Wikipedia (5)
• track_framework_trends: GitHub (30) + StackExchange (30)
• assess_tech_maturity: GitHub (20) + StackExchange (20) + Wikipedia (5)
• generate_tech_report: all 5 sources (30 results each) + Tech Stack Detector per URL

Step 3: Scoring and classification

Each scoring function filters the raw actor results per technology using case-insensitive substring matching on language, name, description, title, and tags fields. Scores are computed in-process with no external API calls. All intermediate scores are clamped between 0 and 100. The generateReport function calls all 7 scoring functions sequentially on the same data object and assembles the combined output.

Step 4: Response

Results are serialized as pretty-printed JSON and returned as an MCP content block with type text. The Streamable HTTP transport handles per-request session lifecycle — the server creates a new McpServer instance per POST to /mcp, avoiding shared state between requests.

Tips for best results

1. Provide 2–5 technologies per call for richer network graphs. Single-technology calls work for vulnerability checks but ecosystem mapping needs co-occurrence data to build meaningful edges.

2. Use generate_tech_report for due diligence, individual tools for monitoring. The full report calls all 6 data sources and runs all 7 scoring functions — ideal for one-off analysis. For weekly automated checks, call score_tech_stack_risk and detect_tech_vulnerabilities only to minimize cost.

3. Add website URLs to vulnerability scans. Pass your production application URLs to detect_tech_vulnerabilities or generate_tech_report. The Tech Stack Detector identifies technologies you may not have listed, and they are automatically added to the CVE scan.

4. Interpret maturity scores alongside growth rates. A technology can be growing phase (high momentum) but still have a low maturity score — meaning it is gaining adoption but the ecosystem is still volatile. Both signals together tell the full story.

5. Use track_framework_trends before assess_tech_maturity when comparing candidates. Trends data tells you where a framework is heading; maturity tells you where it is now. For migration decisions, you want both.

6. Set a spending limit on your Apify run if you are exposing this MCP to multiple users or an agent that may call tools in loops. The server handles limit-reached events cleanly and returns a parseable error.

7. Cache generate_tech_report results in your agent memory. The full report is comprehensive — your agent does not need to re-run it more than once per session unless technologies change. Individual tools like detect_tech_vulnerabilities benefit from fresh runs when assessing newly disclosed CVEs.

Combine with other Apify actors and MCPs

Limitations

• Data recency depends on source APIs. GitHub and StackExchange results reflect current state at query time. NVD CVE data reflects publicly disclosed vulnerabilities — zero-days are not in the database by definition.
• Scoring is signal-based, not authoritative. The maturity and adoption scores are derived from public activity signals. A technology can have high GitHub stars but poor enterprise production quality, or low stars but strong institutional use.
• Technology name matching uses substring search. Querying "Go" will also match "Django", "MongoDB", etc. Use specific names like "Golang" or "Go programming language" for better filtering accuracy.
• Wikipedia age extraction depends on article text patterns. If Wikipedia does not contain a release year in a recognized format, ageYears defaults to 5 and maturity scores will be less accurate.
• No historical trend data. Scores reflect a point-in-time snapshot. The tool cannot show you a star growth chart or 12-month CVE history — it shows current state only.
• CVE matching is text-based, not CPE-based. The NVD actor matches CVEs by description and affected product name. This can produce false positives for common technology names and miss CVEs with non-obvious product naming.
• Parallel actor calls have a 180-second timeout. For large technology lists (10+ technologies), some actors may timeout under heavy Apify platform load, returning partial data.
• Website tech stack detection requires publicly accessible URLs. Password-protected, IP-allowlisted, or bot-blocked sites will return no technology data.

Integrations

• Apify API — Trigger assessment runs from CI/CD pipelines or security tooling via HTTP
• Webhooks — Fire alerts when a generate_tech_report run detects critical CVEs or risk level changes
• Zapier — Connect ecosystem analysis results to Jira ticket creation for CVE remediation workflows
• Make — Build automated weekly tech stack health dashboards delivered to Slack or email
• Google Sheets — Export adoption scores and maturity classifications to a shared team spreadsheet for tech radar maintenance
• LangChain / LlamaIndex — Use this MCP as a tool within ReAct agents for autonomous technology research and recommendation workflows

Troubleshooting

Tool call returns empty arrays for all technologies. This usually means all parallel actor calls timed out or the Apify token has insufficient credits. Check your Apify account balance and ensure the token passed in the Authorization header has Actor:run permissions. Each tool call requires credits to run the underlying actors.

CVE results seem incomplete or include unrelated vulnerabilities. The NVD actor uses text matching. Try more specific technology names — use "Apache Log4j" instead of "Log4j", or "OpenSSL" instead of "SSL". Broad terms like "Java" or "Python" will match thousands of unrelated CVEs and flood the results.

assess_tech_maturity returns ageYears: 5 for all technologies. Wikipedia article extraction did not find a release year in a recognized pattern. This is common for technologies whose Wikipedia articles describe history differently. The score still works but age contribution defaults to the minimum. Use the other maturity indicators to interpret the result.

map_tech_ecosystem returns a sparse graph with few edges. Sparse graphs occur when technologies have little co-occurrence in the GitHub results. Use related technologies that are commonly used together — for example, ["React", "TypeScript", "Tailwind", "Vite"] rather than unrelated technologies like ["React", "Kubernetes", "PostgreSQL"].

Spending limit reached error during generate_tech_report. The full report is the most expensive single call (one charge event). If this error appears, your run-level spending limit is set too low. Increase it in the Apify Console run settings, or set maxTotalChargeUsd higher when calling the actor via API.

Responsible use

• This MCP accesses only publicly available data from open databases (GitHub, NVD, StackExchange, Hacker News, Wikipedia).
• CVE data from NVD is U.S. government public domain — no restrictions on use.
• GitHub, StackExchange, and Hacker News data is subject to their respective API terms of service.
• Do not use vulnerability data to exploit systems. CVE information is provided for defensive security research and risk assessment.
• For guidance on web scraping legality, see Apify's guide.

❓ FAQ

How many technologies can I analyze in a single tool call? There is no hard limit. The scoring functions process every technology in the input array. In practice, 1–10 technologies per call produces the best signal-to-noise ratio. Very large lists (20+) dilute GitHub and SO query results because all technologies are combined into a single search query.

Can tech ecosystem analysis detect vulnerabilities in my own codebase? No — this MCP analyzes the technology itself (the framework, language, or library), not your specific version or configuration. It fetches all publicly known CVEs for a named technology. Use it to identify which components in your stack have known CVEs, then cross-reference with your actual dependency versions.

How current is the CVE vulnerability data? CVE data is fetched live from the National Vulnerability Database at the time of each tool call. There is no caching — every call to detect_tech_vulnerabilities or score_tech_stack_risk reflects the current published CVE database state.

Does tech ecosystem analysis work for proprietary or internal technologies? Technologies must have a presence on GitHub, StackOverflow, or NVD to return meaningful data. Internal tools or unpublished libraries will return empty results. It works for any public framework, language, database, cloud service, or open source library.

How is this different from Snyk or Dependabot? Snyk and Dependabot analyze specific dependency versions in your lock files. This MCP analyzes the technology ecosystem at the community and security intelligence level — adoption trends, maturity stages, developer sentiment, and ecosystem health. They are complementary: use Snyk for version-specific CVE patching, use this MCP for strategic technology selection and risk scoring.

Can I schedule this MCP to run automatically? Yes. You can trigger the actor via the Apify API on a schedule (Apify Scheduler or any cron service). Each scheduled run connects to the MCP server and calls the tools you configure. This is useful for weekly tech stack health monitoring where you want alerts if new critical CVEs appear.

What is the typical response time per tool call? Each tool call runs up to 4 parallel actor executions with a 180-second timeout each. Typical latency is 15–45 seconds depending on data source response times. generate_tech_report is the slowest, running all 6 sources simultaneously.

Is it legal to scrape GitHub, StackOverflow, and Hacker News for this? All data sources are accessed via their official public APIs, not via web scraping. GitHub Search API, NVD's REST API, StackExchange API, and Hacker News Firebase API are all publicly available. See Apify's guide on web scraping legality.

Can I use the output in commercial products or reports? Yes. NVD data is U.S. government public domain. GitHub and StackExchange API data is generally permissible for analysis and reporting under their terms of service. Review each source's terms for your specific use case before redistribution.

What happens if one of the underlying actors fails during a tool call? The runActorsParallel function catches errors per actor and returns an empty array for that source. Scoring functions handle missing data gracefully — they simply contribute zero to the relevant score components rather than throwing. The tool always returns a result; it may just have lower confidence when some sources failed.

How is the S-curve phase different from the trend direction? Trend direction (up/stable/down) reflects short-term momentum based on the last 30 days of StackOverflow activity relative to total history. Adoption phase (emerging/growing/mature/declining) is a lifecycle classification combining star count thresholds and growth rates over a 6-month window. A technology can be mature with a stable or even down trend — that is normal for established technologies.

Help us improve

If you encounter issues, you can help us debug faster by enabling run sharing in your Apify account:

1. Go to Account Settings > Privacy
2. Enable Share runs with public Actor creators

This lets us see your run details when something goes wrong, so we can fix issues faster. Your data is only visible to the actor developer, not publicly.

Support

Found a bug or have a feature request? Open an issue in the Issues tab on this actor's page. For custom scoring algorithms, additional data sources, or enterprise integrations, reach out through the Apify platform.