mcp-guard
Scans for exposed GitHub tokens and secrets.
Identifies open MySQL ports and services on target hosts via TCP port scanning.
Checks npm dependencies for known vulnerabilities using the OSV database.
Scans for hardcoded OpenAI API keys.
Identifies open Redis ports and services on target hosts via TCP port scanning.
Scans for exposed SendGrid API keys.
Scans for exposed Slack tokens.
Scans for exposed Stripe API keys and secrets.
Scans for exposed Twilio credentials.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-guardaudit HTTP security headers on https://example.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-guard
Security and network MCP server for Claude Code and Cursor. Written in Go.
Why mcp-guard
Most MCP servers are API wrappers. Claude could look up the same data itself if it had web access.
mcp-guard is different. 12 of its 22 tools require a physical machine to function. Wi-Fi scanning needs a radio chip. Bluetooth scanning needs an adapter. ARP discovery sends Layer 2 frames that never leave your local network — no cloud service receives them. File watching subscribes to kernel events on your machine's filesystem. USB enumeration reads your physical ports.
Claude runs in a data center. It has none of these things. These tools only work because the binary is running on your computer.
Related MCP server: Tengu
Tools
Local hardware (impossible for any remote service)
Tool | What it does |
| Scan nearby Wi-Fi networks via your wireless hardware — SSID, BSSID, signal, channel, security |
| Enumerate nearby Bluetooth devices via your adapter — name, address, type, pairing status |
| List all USB devices connected to this machine — vendor, product ID, speed, manufacturer |
| Layer 2 LAN discovery — finds every device on your network including ones that block ICMP/TCP, with MAC addresses and vendor IDs |
| ICMP host discovery across a CIDR range from your machine's network stack |
| Hop-by-hop network path from this machine via ICMP TTL probes |
| Kernel FS event stream (FSEvents on macOS, inotify on Linux) — real-time create/write/delete/rename |
| Local hardware: CPU model, RAM, disk, uptime, all network interfaces with IPs and MACs |
| Every file, socket, and pipe held open by processes on this machine via |
| Running processes with CPU% and memory — filter by name |
| Live TCP connections on this machine ( |
| Walk local files for hardcoded credentials — 20+ patterns (AWS, GitHub, OpenAI, Stripe, Slack, DB URLs, private keys) |
| SHA-256 every file in a directory — integrity baseline before/after deploys |
Forensics and supply chain
Tool | What it does |
| Checks this machine for malware persistence: LaunchAgents/Daemons (macOS), systemd units (Linux), cron jobs, shell profile injections. Flags curl-pipe-to-bash, base64 payloads, binaries in /tmp |
| Audits node_modules for supply chain attacks: lifecycle scripts that download/execute remote code, typosquatting (Levenshtein distance 1 against 50 popular packages), eval() of runtime data in source |
Network utilities
Tool | What it does |
| Concurrent TCP scanner — 200 goroutines, service name lookup |
| Raw TCP banner from any protocol — SSH, FTP, SMTP, Redis, MySQL |
| Full TLS certificate chain — key size, algorithm, expiry, SANs |
| A, AAAA, MX, NS, TXT, CNAME — detects missing SPF/DMARC |
| HTTP security header audit scored 0–100 with letter grade |
| npm dependency CVE check via OSV — no API key |
| Local JWT decode — algorithm, expiry, security warnings |
Setup
Claude Code
Add to ~/.claude/settings.json:
{
"mcpServers": {
"mcp-guard": {
"command": "npx",
"args": ["-y", "@zent7x/mcp-guard"]
}
}
}Cursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"mcp-guard": {
"command": "npx",
"args": ["-y", "@zent7x/mcp-guard"]
}
}
}Global install
npm install -g @zent7x/mcp-guardThen use "command": "mcp-guard" instead of npx in the config above.
Example output
> wifi_scan
Wi-Fi networks (8 found)
SSID BSSID SIGNAL CHANNEL SECURITY
──────────────────────────────────────────────────────────────────────────────────────────
HomeNetwork a4:c3:f0:11:22:33 -42 dBm 6 WPA2 Personal
OfficeWifi b8:27:eb:44:55:66 -67 dBm 11 WPA2 Enterprise> arp_scan 192.168.1.0/24
LAN devices in 192.168.1.0/24 (6 found)
IP MAC HOSTNAME VENDOR
────────────────────────────────────────────────────────────────────────────────
192.168.1.1 a4:c3:f0:ab:cd:ef router.local Apple
192.168.1.42 b8:27:eb:12:34:56 raspberrypi.local Raspberry Pi
192.168.1.100 00:0c:29:78:90:ab VMware> bluetooth_scan
Bluetooth devices (4 found)
NAME ADDRESS TYPE STATUS
─────────────────────────────────────────────────────────────────────────────────────────
AirPods Pro a1:b2:c3:d4:e5:f6 paired
MX Keys 11:22:33:44:55:66 Keyboard paired
Sony WH-1000XM5 aa:bb:cc:dd:ee:ff Headphones not pairedHow it works
The npm package downloads a pre-compiled Go binary for your platform on first run. The binary speaks the MCP stdio protocol — your editor spawns it on startup and the tools appear automatically.
Platform binaries: darwin-arm64, darwin-amd64, linux-amd64, linux-arm64, windows-amd64.
Build from source
git clone https://github.com/zent7x/mcp-guard
cd mcp-guard
go build -o mcp-guard .Requires Go 1.21+.
License
MIT
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/zent7x/mcp-guard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server