Connect to an MCP server via stdio, enumerate all tools with descriptions and schemas, list resources and prompts. Returns full server capability manifest.

Analyze ALL tool descriptions for hidden prompt injection instructions. Checks for: file read instructions, exfiltration patterns, instruction override, system prompt extraction, social engineering. Returns findings with matched pattern and severity.

Scan all tool descriptions and schema field descriptions for ANSI escape sequences (CSI codes, cursor movement, color codes) used to hide malicious text in terminal display while LLM still reads it.

Detect hidden Unicode characters in tool descriptions: zero-width spaces, zero-width joiners, word joiners, RTL/LTR override, BOM, invisible separators, homoglyph characters. These can hide instructions visible to LLM but invisible to humans.

Analyze tool schemas for over-permissive parameter types: arbitrary file paths, unrestricted URLs, shell commands, wildcard globs, any-type schemas. Also flags excessive tool count (>50).

Detect tools with names that shadow common MCP tool names from well-known servers (read_file, write_file, execute_command, bash, etc.). A rogue server registering these names could intercept calls intended for legitimate servers.

Scan tool descriptions for references to tools from OTHER servers — patterns like 'when using the email tool', 'before calling read_file'. These cross-origin instructions enable tool shadowing attacks.

Connect to server, SHA-256 hash every tool definition (name + description + schema), store as a pin file. Use rt_verify_pins later to detect tool definition changes (rug pull detection).

Connect to server, hash current tool definitions, compare against stored pin. Reports: added tools, removed tools, modified tools (hash changed — potential rug pull), unchanged tools.

Test if MCP server requires authentication. Connects without credentials and checks if tools are accessible. Flags servers that accept unauthenticated connections.

Enumerate all MCP resources and prompts exposed by the server. Flag resources with broad URI patterns (file://, https://), resources exposing sensitive paths, and prompts that could be used for social engineering.

Run ALL static analysis checks on a TypeScript/JavaScript source directory. Initializes AST project, discovers source files, runs all 11 analyzers, and returns aggregated findings sorted by severity.

AST-scan for command injection: child_process.exec(), execSync(), spawn() with shell:true — where arguments include user-controlled input. Reports file, line, column, and the exact dangerous expression.

AST-scan for SSRF: fetch(), axios.get/post(), http.request() — where the URL argument contains user-controlled input without domain validation.

AST-scan for path traversal: fs.readFile(), writeFile(), readdir(), unlink() — where path argument includes user input without path.resolve() validation.

AST-scan for dangerous code execution: eval(), new Function(), vm.runInNewContext(), setTimeout(string). Any occurrence is flagged regardless of input source.

Scan all string literals and template literals for hardcoded secrets using 20+ regex patterns: AWS keys, GitHub tokens, Slack tokens, Stripe keys, private keys, JWTs, database URLs, and more.

Detect missing security controls: tool handlers without try-catch, empty catch blocks, stack trace exposure in responses, missing audit logging.

Detect weak cryptography: createHash('md5'), createHash('sha1'), Math.random() for token generation, DES/RC4 usage.

Detect prototype pollution: Object.assign() with user input, JSON.parse() on untrusted data, bracket notation with user-controlled keys.

Detect ReDoS patterns: nested quantifiers (a+)+, alternation with overlap, backreferences in quantified groups.

Detect new RegExp() with user-controlled input without proper escaping. Attacker-controlled regex can cause ReDoS or bypass validation.

Detect information disclosure: sensitive data in console.log, process.env serialization, stack traces in responses, file paths in error messages.

Auto-discover all MCP configuration files on the system. Checks Claude Desktop, Claude Code, Cursor, VS Code, Windsurf locations. Returns found config files with server counts.

Deep audit of a single MCP config file. Checks for: API keys in args, secrets in env, npx -y auto-install, unknown binaries, HTTP without TLS, missing auth headers, wildcard env passthrough.

Recursively scan directory for .env files. Detect: high-value API keys, database credentials, private keys, default/weak credentials, overly permissive file permissions.

Analyze each server in MCP config for shadow server indicators: unverified npm packages via npx -y, binaries in writable directories (/tmp), suspicious command paths.

Check for excessive context exposure: servers inheriting all env vars, sensitive vars shared across unrelated servers, broad resource access patterns.

Verify transport security: HTTP vs HTTPS, SSE without TLS, WebSocket without WSS, servers bound to 0.0.0.0, tunnel URLs (ngrok, localtunnel), missing Authorization headers.

Check file permissions on MCP config files and related credential files. Flag configs readable by other users (mode > 600), world-readable .env files.

Parse lockfile (package-lock.json v2/v3, bun.lock) and list all dependencies with versions. Provides dependency tree overview for manual review.

Check all dependency names against top popular npm packages using: Levenshtein distance, keyboard-adjacent substitution, vowel swapping, separator confusion, scope squatting.

Detect dependencies with unpinned version ranges: caret (^), tilde (~), star (*), greater-than (>=). Unpinned versions allow silent malicious updates.

Detect dependencies with lifecycle scripts (preinstall, install, postinstall, prepare) that execute during npm/bun install with full system access.

Check the installed @modelcontextprotocol/sdk version against known vulnerable versions and latest features (OAuth 2.1 support, etc).

Detect deprecated dependencies by checking package.json 'deprecated' field in node_modules. Deprecated packages no longer receive security patches.

Audit dependency licenses: copyleft (GPL, AGPL), unknown/missing licenses, non-OSI-approved licenses. Important for MCP servers in enterprise environments.

Generate formatted security report from findings array. Supports JSON (structured), Markdown (human-readable with severity table, OWASP matrix, remediation checklist), and SARIF 2.1.0 (for GitHub Code Scanning).

Generate OWASP MCP Top 10 compliance matrix from findings. For each MCP01-MCP10: pass/fail/not_tested status, finding count, highest severity, overall compliance score (0-100).

Compare two scan reports (JSON format). Shows new findings, resolved findings, unchanged findings, regression count, and OWASP category trends.

Orchestrator tool. Run ALL applicable checks on a project directory: static analysis on source, config audit, dependency audit, and optionally runtime inspection if command is provided. Generates combined report.

List all security checks available in mcp-security-scanner with name, description, OWASP MCP Top 10 mapping, severity range, and category.

Display the full OWASP MCP Top 10 with ID, title, description, remediation guidance, CWE mappings, and external references.