owasp-mcp-scan
🛡️ mcp-scan
Passive security scanner for Model Context Protocol servers. Point it at any running MCP server; it audits the live server against the OWASP MCP Top 10 and grades it A–F. Read-only, so it is safe to run against production.
npx owasp-mcp-scan --stdio "npx -y @modelcontextprotocol/server-filesystem /tmp"I ran it against the 12 most-installed MCP servers. 9 of them failed. No install, no config, no exploiting anything.
Why
MCP tool descriptions are fed straight into your model's context, and most public servers were never security-reviewed. A bad one can hide instructions in a description, expose a raw-shell tool, or leak a key; and your agent acts on it. Endor Labs found 82% of servers prone to path traversal, 34% to command injection.
mcp-scan is the gut-check before you wire a server in. It's passive: it reads advertised capabilities and analyzes them statically, never invoking tools, so it's safe against production servers.
Related MCP server: agent-audit
How it works
Connects to the server over stdio or Streamable HTTP and enumerates every advertised tool, prompt, and resource.
Runs 12 static checks across that surface: secrets, injection, SSRF, path traversal, tool poisoning, excessive scope, and more.
toxic-flowreasons across the whole toolset for the lethal trifecta (reads private data + ingests untrusted content + can exfiltrate), the shape single-tool scanners miss.Scores 0-100 and grades A-F (any critical forces F). Emits console, JSON, or SARIF.
It never calls a tool, never fuzzes, and never sends an exploit. The worst it does is read what the server already tells everyone.
Real findings on real servers
12 popular npm servers, actual output (snapshot 2026-07-11, full benchmark):
Server | Tools | Grade | 🔴 | 🟠 | 🟡 | Notable |
| 26 | F | 2 | 11 | 1 | lethal trifecta (MCP10) + |
| 14 | F | 0 | 1 | 11 | unconstrained path params (MCP01) |
| 7 | F | 1 | 2 | 0 |
|
| 5 | F | 0 | 3 | 1 | untrusted-input + exfiltration (MCP10) |
| 9 | F | 0 | 3 | 0 |
|
| 26 | D | 0 | 0 | 2 | state-changing tools (MCP02) |
| 8 | C | 0 | 1 | 0 | reads + posts = data + exfil (MCP10) |
| 13 | A | 0 | 0 | 0 | clean ✓ |
| 1 | A | 0 | 0 | 0 | clean ✓ |
9 of 12 flagged, 3 clean, every row audited finding-by-finding, false positives stripped rather than padded. Reproduce any row yourself:
npx owasp-mcp-scan --stdio "npx -y firecrawl-mcp" # F: lethal trifecta + code exec
npx owasp-mcp-scan --stdio "npx -y @modelcontextprotocol/server-everything" # A: cleanUse it
CLI
npx owasp-mcp-scan --stdio "<command>" # local stdio server
npx owasp-mcp-scan --url https://host/mcp --header "Authorization: Bearer $TOKEN"
npx owasp-mcp-scan --config ~/.cursor/mcp.json --format sarif --output mcp.sarifAs an MCP server, let your agent scan servers on demand ("scan this MCP server before I add it"). Add to any client; this mcpServers shape works in Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, and Gemini CLI:
{ "mcpServers": { "mcp-scan": { "command": "npx", "args": ["-y", "owasp-mcp-scan", "--serve"] } } }OpenAI Codex (~/.codex/config.toml):
[mcp_servers.mcp-scan]
command = "npx"
args = ["-y", "owasp-mcp-scan", "--serve"]Exposes two tools: scan_mcp_server (audit a stdio/HTTP target) and list_checks.
Claude Code plugin
/plugin marketplace add CodingSelim/mcp-scan
/plugin install mcp-scan@mcp-scanAlso on the official MCP registry as io.github.CodingSelim/mcp-scan. Publishing steps: PUBLISHING.md.
What it checks
Full OWASP MCP Top 10 (2025) coverage, 12 checks:
Check | OWASP | Catches |
| MCP01 | AWS / OpenAI / Anthropic / GitHub / GitLab / Stripe / SendGrid / npm / HF / DB URIs / JWT / private keys in advertised text |
| MCP01 | Plaintext |
| MCP01 |
|
| MCP02 | Destructive tools ( |
| MCP03 | Instruction overrides, hidden exfiltration directives, zero-width / Unicode-tag smuggling |
| MCP03 / MCP09 | Duplicate tool-name collisions and "call me first" precedence injection |
| MCP04 / MCP09 | Unpinned/placeholder versions and homoglyph server names |
| MCP05 | Unconstrained |
| MCP05 | Arbitrary |
| MCP06 | Injection in resource contents and server instructions |
| MCP07 | HTTP servers that complete an unauthenticated handshake |
| MCP08 | High-impact tools with no audit trail (advisory, unscored) |
| MCP10 | Lethal trifecta: one server that reads private data, ingests untrusted content, and can exfiltrate |
toxic-flow is the standout, it reasons across the whole toolset, catching the GitHub-MCP / email-agent injection shape that per-tool checks miss.
Output & CI
console (default) · json · sarif (GitHub Code Scanning). Exit code is non-zero at/above --fail-on (default high), so it gates CI:
- run: npx owasp-mcp-scan --url ${{ secrets.MCP_URL }} --format sarif --output mcp.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: mcp.sarif }Limitations (read these)
Static analysis can't see runtime sandboxing, a server that safely confines paths still flags them. Verify against actual enforcement.
Auth and transport checks apply to HTTP targets only.
Heuristics favor recall, so triage findings in context. When a rule is tightened to kill a false positive, a test pins the intended behavior.
Scanning a stdio target spawns that command, so run it only on servers you trust.
Develop
npm install && npm run build && npm test # 48 tests, incl. live end-to-end fixture scansChecks are pure and isolated (src/checks/), reusing detectors in src/detectors/. See CONTRIBUTING.md.
References
OWASP MCP Top 10 · MCP Security Cheat Sheet · Vulnerable MCP Project · MCPTox
MIT © CodingSelim
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/CodingSelim/mcp-scan'
If you have feedback or need assistance with the MCP directory API, please join our Discord server