mcp-scan
Health Pass
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 21 GitHub stars
Code Warn
- process.env — Environment variable access in notion-integration/push-to-notion.js
- fs module — File system access in package.json
Permissions Pass
- Permissions — No dangerous permissions requested
This is an open-source security auditing tool designed to scan Model Context Protocol (MCP) server configurations. It helps developers detect leaked secrets, prompt injection risks, supply-chain vulnerabilities, and data exfiltration vectors before they can be exploited.
Security Assessment
The tool is designed with strong privacy and security principles. According to its documentation, it operates entirely offline, making zero network requests and collecting no telemetry during a scan. While the automated audit flagged environment variable access and filesystem module usage, these are expected, safe behaviors for a local application that reads configuration files. No hardcoded secrets or dangerous runtime permissions were detected. Overall risk: Low.
Quality Assessment
The project is highly active, with its most recent code push happening today. It uses the standard, permissive MIT license and is distributed via npm. The repository shows a healthy foundation for a niche security utility, currently backed by 21 GitHub stars, and has received public recognition from an established engineering blog.
Verdict
Safe to use.
Security scanner for MCP server configurations. Detects secrets, CVEs, permission issues, and exfiltration vectors across 10 AI tool clients.
mcp-scan
Open-source security scanner for Model Context Protocol (MCP) servers.
MCP servers run with full access to your filesystem, API keys, and network. mcp-scan audits every MCP server configuration on your system — detecting leaked secrets, prompt injection risks, supply-chain vulnerabilities, and data flow issues before they become incidents.
npx mcp-scan@latest
No installation. No sign-up. No telemetry. Zero network requests during scanning.
Why mcp-scan?
MCP servers are the new attack surface for AI-powered development. They run silently alongside your AI tools with shell access, filesystem permissions, and network egress. A single malicious or misconfigured server can exfiltrate API keys, inject instructions into your AI sessions, or become a supply-chain entry point.
mcp-scan was built after analyzing hundreds of publicly available MCP server configs and finding patterns that existing security tools miss: credential relay, prompt injection via tool descriptions, typosquatting near popular packages, and data sent to unexpected endpoints.
Featured in Stytch Engineering Blog: "npm-audit for MCP security: A deep-dive on mcp-scan"
What It Detects
| Check | Severity | Description |
|---|---|---|
| Data Exfiltration | CRITICAL | Tool reads filesystem/DB/clipboard and sends data to a network endpoint |
| Credential Relay | CRITICAL | Environment variables or secrets passed to external APIs or processes |
| Known Malicious Package | CRITICAL | Config references packages on the known-bad list |
| Exposed Secret | CRITICAL | Hardcoded API keys, tokens, or passwords in config |
| Prompt Injection | HIGH | Instructions embedded in tool names or descriptions |
| Obfuscated Network | HIGH | Server uses base64, hex, or reversed URLs to hide endpoints |
| Data-in-URL Exfil | HIGH | Potential exfiltration via long strings in URL query parameters |
| Typosquatting | HIGH | Package name closely resembles a trusted popular package |
| Supply Chain Risk | HIGH | Low-trust package with no history, stars, or maintainers |
| PII Exposure | HIGH | Server handles sensitive personal data without proper controls |
| Outdated Package | MEDIUM | Package has known vulnerabilities in the installed version |
| Overly Broad Permissions | MEDIUM | Server requests filesystem or shell access it does not need |
| Telemetry Tracking | MEDIUM | Server contacts known analytics or tracking domains |
| Privacy Gaps | MEDIUM | Missing data retention, deletion, or encryption-at-rest policies |
| Unverified Source | LOW | Package not from a verified registry or organization |
| Data Minimization | LOW | Tool requests significantly more data fields than necessary |
| Missing Transport | LOW | MCP server communicates over unencrypted transport |
Supported AI Tools
mcp-scan automatically detects configurations for 16+ AI tool clients:
| Category | Tools |
|---|---|
| AI Assistants | Claude Desktop, Claude Code, Gemini CLI, Codex CLI |
| Editors | VS Code, Cursor, Windsurf, Zed |
| AI Coding Tools | Cline, Roo Code, Continue, Amp, Plandex |
| Other | ChatGPT Desktop, GitHub Copilot |
v2.0 Features
- Data Flow Analysis — Trace where your data goes after MCP processes it
- Network Egress Monitor — See every endpoint your servers contact
- Privacy Assessment — One-command PII and compliance report
- Policy Engine — Custom security rules in
.mcp-scan-policy.yml - Compliance Mapping — SOC 2, GDPR, HIPAA, PCI-DSS, NIST 800-53
- SBOM Generation — CycloneDX and SPDX output
- GitHub Action — Scan on every PR with SARIF upload to GitHub Security tab
- 17+ Scanners — Secrets, supply chain, prompt injection, data flow, and more
All Commands
# Full security scan (auto-detects all AI tool configs)
npx mcp-scan@latest
# Output as JSON for CI/CD pipelines
npx mcp-scan@latest --json
# Privacy impact assessment and data map
npx mcp-scan@latest privacy
# Compliance report (SOC 2, GDPR, HIPAA, PCI-DSS, NIST 800-53)
npx mcp-scan@latest compliance
# Software Bill of Materials (CycloneDX or SPDX)
npx mcp-scan@latest sbom
# Validate custom security policies
npx mcp-scan@latest policy
# CI mode — exit 1 if findings above threshold
npx mcp-scan@latest --ci --severity-threshold HIGH
GitHub Actions Integration
Add mcp-scan to your CI pipeline. Results appear in the GitHub Security tab via SARIF 2.1.0:
steps:
- uses: actions/checkout@v4
- name: Scan MCP configurations
uses: rodolfboctor/mcp-scan@v2
with:
severity-threshold: MEDIUM
sarif-upload: true
Custom Security Policies
Define your own rules in .mcp-scan-policy.yml:
rules:
- name: no-external-endpoints
description: Block servers contacting endpoints outside your org domain
match:
network_egress:
not_in_domain: "*.mycompany.com"
severity: HIGH
- name: require-approved-packages
description: Only allow packages from your approved list
match:
package:
not_in_allowlist: true
severity: CRITICAL
Compliance Mapping
| Framework | Controls Covered |
|---|---|
| SOC 2 | CC6.1, CC6.6, CC6.7, CC7.1 |
| GDPR | Art. 25, Art. 32, Art. 33 |
| HIPAA | 164.312(a)(1), 164.312(e)(1) |
| PCI-DSS | Req. 6, Req. 10, Req. 11 |
| NIST 800-53 | CA-7, RA-5, SA-11, SI-2 |
Privacy & Security Architecture
mcp-scan runs entirely locally. It reads config files from disk, performs all analysis in-process, and never sends data anywhere.
- Zero network requests during scanning
- No API keys required
- No data leaves your machine
- No account or sign-up needed
- Fully open source — audit the code yourself
Roadmap
- v2.1 — Runtime Monitoring
- v2.2 — Sandboxed Execution
- v2.3 — Real-Time Alerting
Installation
Use without installing (always latest version):
npx mcp-scan@latest
Install globally:
npm install -g mcp-scan
mcp-scan
Contributing
Issues and PRs welcome. See CONTRIBUTING.md for guidelines.
For security disclosures: see SECURITY.md.
License
MIT — built by Abanoub Rodolf Boctor · ThynkQ
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found