MCP servers run with full access to your filesystem, API keys, and network. mcp-scan audits every MCP server configuration on your system โ detecting leaked secrets, prompt injection risks, supply-chain vulnerabilities, and data flow issues before they become incidents.
npx mcp-scan@latestNo installation. No sign-up. No telemetry. Zero network requests during scanning.
MCP servers are the new attack surface for AI-powered development. They run silently alongside your AI tools with shell access, filesystem permissions, and network egress. A single malicious or misconfigured server can exfiltrate API keys, inject instructions into your AI sessions, or become a supply-chain entry point.
mcp-scan was built after analyzing hundreds of publicly available MCP server configs and finding patterns that existing security tools miss: credential relay, prompt injection via tool descriptions, typosquatting near popular packages, and data sent to unexpected endpoints.
Featured in Stytch Engineering Blog: "npm-audit for MCP security: A deep-dive on mcp-scan"
| Check | Severity | Description |
|---|---|---|
| Data Exfiltration | CRITICAL | Tool reads filesystem/DB/clipboard and sends data to a network endpoint |
| Credential Relay | CRITICAL | Environment variables or secrets passed to external APIs or processes |
| Known Malicious Package | CRITICAL | Config references packages on the known-bad list |
| Exposed Secret | CRITICAL | Hardcoded API keys, tokens, or passwords in config |
| Prompt Injection | HIGH | Instructions embedded in tool names or descriptions |
| Obfuscated Network | HIGH | Server uses base64, hex, or reversed URLs to hide endpoints |
| Data-in-URL Exfil | HIGH | Potential exfiltration via long strings in URL query parameters |
| Typosquatting | HIGH | Package name closely resembles a trusted popular package |
| Supply Chain Risk | HIGH | Low-trust package with no history, stars, or maintainers |
| PII Exposure | HIGH | Server handles sensitive personal data without proper controls |
| Outdated Package | MEDIUM | Package has known vulnerabilities in the installed version |
| Overly Broad Permissions | MEDIUM | Server requests filesystem or shell access it does not need |
| Telemetry Tracking | MEDIUM | Server contacts known analytics or tracking domains |
| Privacy Gaps | MEDIUM | Missing data retention, deletion, or encryption-at-rest policies |
| Unverified Source | LOW | Package not from a verified registry or organization |
| Data Minimization | LOW | Tool requests significantly more data fields than necessary |
| Missing Transport | LOW | MCP server communicates over unencrypted transport |
mcp-scan automatically detects configurations for 16+ AI tool clients:
| Category | Tools |
|---|---|
| AI Assistants | Claude Desktop, Claude Code, Gemini CLI, Codex CLI |
| Editors | VS Code, Cursor, Windsurf, Zed |
| AI Coding Tools | Cline, Roo Code, Continue, Amp, Plandex |
| Other | ChatGPT Desktop, GitHub Copilot |
- Data Flow Analysis โ Trace where your data goes after MCP processes it
- Network Egress Monitor โ See every endpoint your servers contact
- Privacy Assessment โ One-command PII and compliance report
- Policy Engine โ Custom security rules in
.mcp-scan-policy.yml - Compliance Mapping โ SOC 2, GDPR, HIPAA, PCI-DSS, NIST 800-53
- SBOM Generation โ CycloneDX and SPDX output
- GitHub Action โ Scan on every PR with SARIF upload to GitHub Security tab
- 17+ Scanners โ Secrets, supply chain, prompt injection, data flow, and more
# Full security scan (auto-detects all AI tool configs)
npx mcp-scan@latest
# Output as JSON for CI/CD pipelines
npx mcp-scan@latest --json
# Privacy impact assessment and data map
npx mcp-scan@latest privacy
# Compliance report (SOC 2, GDPR, HIPAA, PCI-DSS, NIST 800-53)
npx mcp-scan@latest compliance
# Software Bill of Materials (CycloneDX or SPDX)
npx mcp-scan@latest sbom
# Validate custom security policies
npx mcp-scan@latest policy
# CI mode โ exit 1 if findings above threshold
npx mcp-scan@latest --ci --severity-threshold HIGHAdd mcp-scan to your CI pipeline. Results appear in the GitHub Security tab via SARIF 2.1.0:
steps:
- uses: actions/checkout@v4
- name: Scan MCP configurations
uses: rodolfboctor/mcp-scan@v2
with:
severity-threshold: MEDIUM
sarif-upload: trueDefine your own rules in .mcp-scan-policy.yml:
rules:
- name: no-external-endpoints
description: Block servers contacting endpoints outside your org domain
match:
network_egress:
not_in_domain: "*.mycompany.com"
severity: HIGH
- name: require-approved-packages
description: Only allow packages from your approved list
match:
package:
not_in_allowlist: true
severity: CRITICAL| Framework | Controls Covered |
|---|---|
| SOC 2 | CC6.1, CC6.6, CC6.7, CC7.1 |
| GDPR | Art. 25, Art. 32, Art. 33 |
| HIPAA | 164.312(a)(1), 164.312(e)(1) |
| PCI-DSS | Req. 6, Req. 10, Req. 11 |
| NIST 800-53 | CA-7, RA-5, SA-11, SI-2 |
mcp-scan runs entirely locally. It reads config files from disk, performs all analysis in-process, and never sends data anywhere.
- Zero network requests during scanning
- No API keys required
- No data leaves your machine
- No account or sign-up needed
- Fully open source โ audit the code yourself
- v2.1 โ Runtime Monitoring
- v2.2 โ Sandboxed Execution
- v2.3 โ Real-Time Alerting
Use without installing (always latest version):
npx mcp-scan@latestInstall globally:
npm install -g mcp-scan
mcp-scanIssues and PRs welcome. See CONTRIBUTING.md for guidelines.
For security disclosures: see SECURITY.md.
MIT โ built by Abanoub Rodolf Boctor ยท ThynkQ