mcp-security-scanner
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| rt_inspect_serverA | Connect to an MCP server via stdio or HTTP/SSE, enumerate all tools with descriptions and schemas, list resources and prompts. Returns full server capability manifest. |
| rt_check_tool_poisoningA | Analyze ALL tool descriptions for hidden prompt injection instructions. Checks for: file read instructions, exfiltration patterns, instruction override, system prompt extraction, social engineering. Returns findings with matched pattern and severity. |
| rt_check_ansi_injectionA | Scan all tool descriptions and schema field descriptions for ANSI escape sequences (CSI codes, cursor movement, color codes) used to hide malicious text in terminal display while LLM still reads it. |
| rt_check_unicode_steganographyA | Detect hidden Unicode characters in tool descriptions: zero-width spaces, zero-width joiners, word joiners, RTL/LTR override, BOM, invisible separators, homoglyph characters. These can hide instructions visible to LLM but invisible to humans. |
| rt_check_scope_creepB | Analyze tool schemas for over-permissive parameter types: arbitrary file paths, unrestricted URLs, shell commands, wildcard globs, any-type schemas. Also flags excessive tool count (>50). |
| rt_check_tool_shadowingB | Detect tools with names that shadow common MCP tool names from well-known servers (read_file, write_file, execute_command, bash, etc.). A rogue server registering these names could intercept calls intended for legitimate servers. |
| rt_check_cross_originA | Scan tool descriptions for references to tools from OTHER servers — patterns like 'when using the email tool', 'before calling read_file'. These cross-origin instructions enable tool shadowing attacks. |
| rt_pin_toolsA | Connect to server, SHA-256 hash every tool definition (name + description + schema), store as a pin file. Use rt_verify_pins later to detect tool definition changes (rug pull detection). |
| rt_verify_pinsA | Connect to server, hash current tool definitions, compare against stored pin. Reports: added tools, removed tools, modified tools (hash changed — potential rug pull), unchanged tools. |
| rt_check_authA | Test if MCP server requires authentication. Connects without credentials and checks if tools are accessible. Flags servers that accept unauthenticated connections. |
| rt_check_resource_exposureA | Enumerate all MCP resources and prompts exposed by the server. Flag resources with broad URI patterns (file://, https://), resources exposing sensitive paths, and prompts that could be used for social engineering. |
| rt_check_oauthA | Test if HTTP/SSE MCP server properly validates OAuth tokens. Sends requests with no token, invalid token, and expired-format JWT. Flags servers that accept unauthenticated or invalid requests. Only applies to HTTP/SSE transport. |
| rt_check_tlsA | Inspect TLS certificate of HTTP/SSE MCP server. Checks: unencrypted HTTP, untrusted/self-signed cert, expired cert, expiring soon (<30d), weak signature (SHA-1), short key (<2048 bits). Only applies to HTTP/SSE transport. |
| rt_check_capabilitiesA | Inspect MCP server capabilities advertised during initialization. Flags: experimental features, dynamic tool changes (tools.listChanged), dynamic resource changes (resources.listChanged), logging capability. Also checks server version. |
| rt_check_resource_contentA | Read actual content of all MCP resources via readResource() and scan for: poisoning patterns, ANSI escape sequences, hidden Unicode steganography, oversized content (context flooding). Goes beyond URI-based rt_check_resource_exposure by inspecting real content. |
| rt_fuzz_toolsA | Fuzz-test MCP tools with edge-case inputs: empty strings, long strings, path traversal, command injection, SQL injection, special chars, type confusion. Dry-run by default (schema analysis only) — set confirm_execute=true to actually invoke tools via callTool(). Reports crashes, stack trace leaks, and unhandled errors. |
| rt_check_http_securityA | Check HTTP response security headers on HTTP/SSE MCP server. Tests: HSTS, CORS policy (Access-Control-Allow-Origin: *), X-Content-Type-Options, Cache-Control, cookie flags (Secure, HttpOnly, SameSite). Only applies to HTTP/SSE transport. |
| rt_check_callbacksA | Analyze tool schemas for callback/webhook URL parameters that could enable SSRF. Checks parameter names (callback, webhook, redirect, return_url, notify_url, hook_url, etc.) and whether URL constraints (enum, pattern, format) are applied. Also scans descriptions for callback URL acceptance patterns. |
| rt_check_prompt_injectionA | Fetch actual prompt content via getPrompt() and scan for: poisoning patterns, template injection syntax (Mustache, Jinja2, ERB, ES template literals), and dangerous argument names (command, code, exec, etc.). Goes beyond metadata inspection. |
| rt_check_instructionsA | Analyze server instructions returned during MCP initialization. Scans for: poisoning patterns (credential harvesting, exfiltration, instruction override, social engineering), cross-origin references, excessive length (>5000 chars). Server instructions influence LLM behavior. |
| rt_check_tool_mutationA | Connect to server, take two tool snapshots with a configurable delay, and compare. Detects dynamic tool additions, removals, and description modifications during a session. Critical for rug-pull detection in live sessions. |
| rt_check_rate_limitingA | Send rapid ping() bursts to test if MCP server implements rate limiting. Measures response times and checks for 429/throttling. Servers without rate limiting are vulnerable to resource exhaustion and abuse. |
| rt_check_protocol_versionA | Check MCP server's reported name and version from initialization. Flags: missing version info, known vulnerable SDK versions (pre-1.0 series), and outdated protocol versions for security audit trail. |
| sast_scan_directoryA | Run ALL static analysis checks on a TypeScript/JavaScript source directory. Initializes AST project, discovers source files, runs all 11 analyzers, and returns aggregated findings sorted by severity. |
| sast_command_injectionA | AST-scan for command injection: child_process.exec(), execSync(), spawn() with shell:true — where arguments include user-controlled input. Reports file, line, column, and the exact dangerous expression. |
| sast_ssrfA | AST-scan for SSRF: fetch(), axios.get/post(), http.request() — where the URL argument contains user-controlled input without domain validation. |
| sast_path_traversalA | AST-scan for path traversal: fs.readFile(), writeFile(), readdir(), unlink() — where path argument includes user input without path.resolve() validation. |
| sast_code_executionA | AST-scan for dangerous code execution: eval(), new Function(), vm.runInNewContext(), setTimeout(string). Any occurrence is flagged regardless of input source. |
| sast_hardcoded_secretsA | Scan all string literals and template literals for hardcoded secrets using 20+ regex patterns: AWS keys, GitHub tokens, Slack tokens, Stripe keys, private keys, JWTs, database URLs, and more. |
| sast_missing_loggingA | Detect missing security controls: tool handlers without try-catch, empty catch blocks, stack trace exposure in responses, missing audit logging. |
| sast_insecure_cryptoA | Detect weak cryptography: createHash('md5'), createHash('sha1'), Math.random() for token generation, DES/RC4 usage. |
| sast_prototype_pollutionA | Detect prototype pollution: Object.assign() with user input, JSON.parse() on untrusted data, bracket notation with user-controlled keys. |
| sast_regex_dosA | Detect ReDoS patterns: nested quantifiers (a+)+, alternation with overlap, backreferences in quantified groups. |
| sast_unsafe_regexA | Detect new RegExp() with user-controlled input without proper escaping. Attacker-controlled regex can cause ReDoS or bypass validation. |
| sast_info_disclosureA | Detect information disclosure: sensitive data in console.log, process.env serialization, stack traces in responses, file paths in error messages. |
| cfg_auto_discoverA | Auto-discover all MCP configuration files on the system. Checks Claude Desktop, Claude Code, Cursor, VS Code, Windsurf locations. Returns found config files with server counts. |
| cfg_audit_mcp_configA | Deep audit of a single MCP config file. Checks for: API keys in args, secrets in env, npx -y auto-install, unknown binaries, HTTP without TLS, missing auth headers, wildcard env passthrough. |
| cfg_scan_env_filesA | Recursively scan directory for .env files. Detect: high-value API keys, database credentials, private keys, default/weak credentials, overly permissive file permissions. |
| cfg_check_shadow_serversB | Analyze each server in MCP config for shadow server indicators: unverified npm packages via npx -y, binaries in writable directories (/tmp), suspicious command paths. |
| cfg_check_context_oversharingB | Check for excessive context exposure: servers inheriting all env vars, sensitive vars shared across unrelated servers, broad resource access patterns. |
| cfg_check_transport_securityB | Verify transport security: HTTP vs HTTPS, SSE without TLS, WebSocket without WSS, servers bound to 0.0.0.0, tunnel URLs (ngrok, localtunnel), missing Authorization headers. |
| cfg_check_file_permissionsA | Check file permissions on MCP config files and related credential files. Flag configs readable by other users (mode > 600), world-readable .env files. |
| dep_audit_lockfileA | Parse lockfile (package-lock.json v2/v3, bun.lock) and list all dependencies with versions. Provides dependency tree overview for manual review. |
| dep_check_typosquattingB | Check all dependency names against top popular npm packages using: Levenshtein distance, keyboard-adjacent substitution, vowel swapping, separator confusion, scope squatting. |
| dep_check_unpinnedA | Detect dependencies with unpinned version ranges: caret (^), tilde (~), star (*), greater-than (>=). Unpinned versions allow silent malicious updates. |
| dep_check_install_scriptsA | Detect dependencies with lifecycle scripts (preinstall, install, postinstall, prepare) that execute during npm/bun install with full system access. |
| dep_check_mcp_sdk_versionB | Check the installed @modelcontextprotocol/sdk version against known vulnerable versions and latest features (OAuth 2.1 support, etc). |
| dep_check_deprecatedA | Detect deprecated dependencies by checking package.json 'deprecated' field in node_modules. Deprecated packages no longer receive security patches. |
| dep_check_licenseA | Audit dependency licenses: copyleft (GPL, AGPL), unknown/missing licenses, non-OSI-approved licenses. Important for MCP servers in enterprise environments. |
| report_generateA | Generate formatted security report from findings array. Supports JSON (structured), Markdown (human-readable with severity table, OWASP matrix, remediation checklist), and SARIF 2.1.0 (for GitHub Code Scanning). |
| report_owasp_complianceB | Generate OWASP MCP Top 10 compliance matrix from findings. For each MCP01-MCP10: pass/fail/not_tested status, finding count, highest severity, overall compliance score (0-100). |
| report_compareA | Compare two scan reports (JSON format). Shows new findings, resolved findings, unchanged findings, regression count, and OWASP category trends. |
| report_full_auditB | Orchestrator tool. Run ALL applicable checks on a project directory: static analysis on source, config audit, dependency audit, and optionally runtime inspection if command is provided. Generates combined report. |
| scanner_list_checksB | List all security checks available in mcp-security-scanner with name, description, OWASP MCP Top 10 mapping, severity range, and category. |
| scanner_owasp_mappingA | Display the full OWASP MCP Top 10 with ID, title, description, remediation guidance, CWE mappings, and external references. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/mcp-security-scanner'
If you have feedback or need assistance with the MCP directory API, please join our Discord server