meok-mcp-injection-scan-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@meok-mcp-injection-scan-mcpscan https://example.com/mcp for vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
meok-mcp-injection-scan-mcp
Scan any MCP server for the prompt-injection / tool-poisoning / SSRF class disclosed in the April 2026 CVE wave.
pip install meok-mcp-injection-scan-mcpWhy this exists
April 2026 was a bad month for MCP. Anthropic published a "by-design" MCP RCE class affecting ~7,000 public servers (~150M downloads). mcp-server-git shipped a CVE chain. DockerDash got popped by an injection chain. Tool-description prompt injection ("tool poisoning") was demonstrated against every major MCP host.
If you run an MCP server in production, or you're auditing one before adoption, you need a fast scan that flags the patterns the April 2026 disclosures target. This MCP is that scan.
What it checks
30+ canonical rules across 5 severity tiers:
CRITICAL — direct RCE, system-prompt override, credential exfil patterns, shell metachars in defaults, file:// / internal-network URLs (the DockerDash 169.254.169.254 metadata-pivot vector).
HIGH — encoded payloads, imperative directives at the agent, supply-chain prompts, env-var references, tool shadowing.
MEDIUM — urgency / authority language,
additionalProperties=true, unbounded strings, tool-name impersonation.LOW — over-long descriptions, zero-width / bidi-override chars (the U+202E PoC vector).
Coverage maps to: OWASP LLM Top 10, GenAI Red Team v1, the April 2026 Anthropic MCP RCE disclosure, and the mcp-server-git CVE chain.
Tools exposed
Tool | Purpose |
| Fetch a remote MCP server's tool listing and scan it |
| Scan a pasted JSON tool list (auth-walled servers) |
| Issue a procurement-grade signed cert (Pro tier) |
| Inspect the full rule catalogue before subscribing |
| Subscribe links + tier comparison |
Pricing
Tier | Price | What you get |
Free | £0 | 5 scans / day, no signed reports |
Starter | Unlimited scans + signed reports | |
Pro | + scheduled rescans + 48h support | |
Enterprise | + custom rule packs + 4h SLA |
Every signed cert lives at https://meok-attestation-api.vercel.app/verify/<cert_id> — auditors and procurement teams confirm without an account.
What you do NOT get
This is a static-pattern scanner. It does not run dynamic taint analysis, fuzz the server with adversarial inputs, or replace a human red-team. It is the first 80% of the audit, in 5 seconds, for free.
Built by MEOK AI Labs
Solo founder. London. 234 MCP packages on PyPI. Live signing infrastructure at meok-attestation-api.vercel.app. Storefront councilof.ai. Get the catalogue: https://meok-attestation-api.vercel.app/catalogue.
Distribution channels
PyPI:
pip install meok-mcp-injection-scan-mcp(this package)Apify Store (Pay-Per-Event): https://apify.com/knowing_yucca/meok-mcp-injection-scan
GitHub (source): https://github.com/CSOAI-ORG/MEOK-LABS/tree/main/mcps/meok-mcp-injection-scan-mcp
Sponsor: https://github.com/sponsors/CSOAI-ORG · Pro £79/mo →
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/CSOAI-ORG/meok-mcp-injection-scan-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server