MCP Security Auditor
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Security Auditoraudit the MCP server at localhost:3000"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Security Auditor
An LLM-powered vulnerability auditor for MCP (Model Context Protocol) servers. Existing static scanners pattern-match tool descriptions against known-bad keywords; this project uses a local LLM, grounded by retrieval against a curated knowledge base of known attack patterns, to catch semantically-equivalent attacks that don't use any alarming words.
Runs entirely on local infrastructure (Ollama) — no tool descriptions or scan results leave the machine.
Architecture
Recon Agent -> connects to a target MCP server, enumerates every
tool, resource, and prompt (agents/recon.py)
Semantic Analyzer -> RAG-retrieves similar known attack patterns per
tool, asks a local LLM for a grounded verdict
(agents/semantic_analyzer.py, rag/)
Drift Monitor -> baselines a server, re-checks later, catches
post-install "rug pulls" static scans can't see
(agents/drift_monitor.py)
Reporting Agent -> synthesizes findings into a severity-scored,
OWASP-mapped report (agents/reporting.py)
Sandboxed Demo -> shows concrete impact using synthetic decoy
files only, never real paths (agents/sandbox_demo.py)
Benchmark -> precision/recall/F1 against ground truth, plus
a transparent regex baseline for comparison
(agents/benchmark.py, agents/baseline_regex_scanner.py)Taxonomy: OWASP MCP Top 10
(beta/pilot as of mid-2026 — cite as MCPxx:2025, not a finalized standard).
Related MCP server: agent-audit
Setup
python3 -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -r requirements.txt
ollama pull llama3.1:8b # see "why 8b, not 3b" below
ollama pull nomic-embed-text
ollama serveTest bed
Five toy MCP servers under servers/, each purpose-built for a specific
test:
Server | Purpose |
| negative control — 0 planted vulns |
| 2 planted MCP03 (Tool Poisoning): one obvious, one paraphrased/keyword-free |
| 2 planted MCP02 (Scope Creep): schema/description mismatch, typosquat+side-effect |
| 1 planted MCP01 (Token Mismanagement): plaintext credential requested as a call argument |
| toggles clean↔poisoned via |
| generalization check — never referenced during prompt development |
servers/ground_truth.json is the labeled answer key.
Validated results
All numbers below are from actual runs, not projected.
Detection rate (agents/benchmark.py, 3 runs x 4 servers)
Precision: 1.0, Recall: 1.0, F1: 1.0 — 15/15 planted vulnerabilities
caught, 0/30 false positives, using llama3.1:8b, fully reproducible
across repeated runs, across three distinct OWASP MCP categories
(MCP01, MCP02, MCP03).
Why llama3.1:8b, not llama3.2:3b
Measured, not assumed: llama3.2:3b missed both tool-poisoning payloads
on this test bed, including the one with explicit "ignore prior
instructions" language — it appears to reflexively sanitize past
injected text rather than analyzing it, even with an explicit
untrusted-data prompt boundary. llama3.1:8b caught all planted
vulnerabilities with zero false positives. This is a real, specific
model-size threshold observed on a fixed test bed, not a general claim
about model scaling.
Baseline comparison (agents/baseline_regex_scanner.py)
A transparent, fully deterministic keyword/regex scanner — no LLM, no RAG — representing the class of existing static-pattern MCP scanners. Run head-to-head on the same test bed:
Vulnerability | Baseline (regex) | This project |
convert_currency — obvious payload | caught | caught |
summarize_document — paraphrased, no trigger keywords | MISSED | caught |
read_file_preview — schema/description mismatch | caught | caught |
git_stauts — typosquat + implied side effect | caught | caught |
Both approaches tie on obvious/structural cases. The one case that differentiates them — a paraphrased attack using zero alarming keywords — is exactly the evasion technique a real attacker would use against a keyword scanner, and it's the one this project catches that the baseline doesn't. That's the actual, measured claim, not an assumption.
Note: summarize_document's payload was rewritten once during benchmarking after an earlier version accidentally contained the literal word "credentials," which the baseline's keyword list also checks for — that version tied with the baseline instead of differentiating from it. Worth stating plainly in any writeup: the first version of this test wasn't actually fair, and fixing it was part of the process.
Held-out generalization test
holdout_server.py's raed_file tool (typosquat of read_file,
disguised as "forwards to a logging endpoint") was never named or
referenced anywhere in semantic_analyzer.py's prompt during
development. It was still correctly flagged, and the clean control tool
in the same server was correctly left unflagged — real evidence the
typosquat-detection approach generalizes rather than memorizing the
known git_stauts test case.
The typosquat check itself (check_typosquat() in
semantic_analyzer.py) is a plain edit-distance algorithm against a
generic list of common tool names, feeding the LLM computed evidence
("edit distance 2 from read_file") rather than a memorized example —
this is what makes the generalization result meaningful rather than
circular.
Known limitations
Edit-distance typosquat detection misses double-transposition typos (e.g. sned_emial vs send_email) — Damerau-Levenshtein would fix this but wasn't implemented.
LLM-based judgment isn't perfectly deterministic. All numbers above were confirmed stable across 3 repeated runs, but this is a property of local-LLM-based detection worth stating explicitly rather than implying certainty a single run can't support.
The 1.0 detection rate is on this project's own 3-server, 6-vuln test bed. It demonstrates the approach works; it is not a claim about detection rate on real-world MCP servers at scale.
mcp-scan (the original planned comparison baseline) was acquired by Snyk mid-project and renamed snyk-agent-scan, now requiring a Snyk account/API token for real scans. Rather than gate the comparison behind a signup, this project built its own transparent regex baseline instead — arguably a cleaner comparison anyway, since its exact logic is fully inspectable in agents/baseline_regex_scanner.py.
Running the pipeline
# Recon only
python3 agents/recon.py servers/clean_server.py
# Full semantic analysis
python3 agents/semantic_analyzer.py servers/tool_poisoning_server.py
# Drift monitor demo (rug pull)
python3 agents/drift_monitor.py baseline servers/rug_pull_server.py
export RUG_PULL=1 # Windows: $env:RUG_PULL="1"
python3 agents/drift_monitor.py check servers/rug_pull_server.py
# Severity-scored report
python3 agents/reporting.py servers/tool_poisoning_server.py --out report.md
# Sandboxed impact demo (synthetic decoy files only)
python3 agents/sandbox_demo.py servers/tool_poisoning_server.py
# Regex baseline (no LLM needed, instant)
python3 agents/baseline_regex_scanner.py servers/tool_poisoning_server.py
# Full benchmark (precision/recall/F1)
python3 agents/benchmark.py --runs 3Week 5 — The auditor as an MCP server
agents/
auditor_mcp_server.py # this project, exposed as an MCP server itselfEvery other agent in this project is an MCP client — it connects to
someone else's server and inspects it. auditor_mcp_server.py flips
that: it's this project's own detection pipeline, wrapped as an MCP
server, exposing two tools:
audit_mcp_server(command, args)— full severity-scored Markdown reportquick_verdict(command, args)— fast one-line-per-tool read
The practical point: this can be added to Claude Desktop's own MCP config, so before you add some new, unfamiliar MCP server you found online, you can ask Claude to "use the security auditor to check this server first" — vetting an untrusted server without your primary assistant ever touching it directly.
Try it with our own recon.py (no Ollama needed, just proves the wiring)
python3 agents/recon.py agents/auditor_mcp_server.pyShould show mcp-security-auditor exposing exactly two tools,
audit_mcp_server and quick_verdict.
Add it to Claude Desktop
In Claude Desktop's config file (find via Settings → Developer → Edit Config), add:
{
"mcpServers": {
"mcp-security-auditor": {
"command": "python3",
"args": ["/absolute/path/to/mcp-auditor/agents/auditor_mcp_server.py"]
}
}
}Restart Claude Desktop, then in a new chat: "Use the security auditor
to check whether this MCP server is safe before I add it: command=...,
args=..." — Claude will call audit_mcp_server and show you the report
before you commit to trusting the new server. This is the single best
demo moment for a live walkthrough, since it shows the tool being used
the way it's actually meant to be used, not just run from a terminal.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shreyagobi/mcp-auditor'
If you have feedback or need assistance with the MCP directory API, please join our Discord server