mcp-fortress
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-fortressscan server-filesystem for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
๐ฐ MCP Fortress
Security scanner and runtime protection for Model Context Protocol (MCP) servers
๐ NEW in v0.3.6: Enhanced scanner with improved false-positive detection! The first security tool that uses MCP to secure MCP.
๐ Quick Start
For Claude Code Users (Easiest!)
# Install the Claude Code plugin
/plugin marketplace add mcp-fortress/mcp-fortress
/plugin install mcp-fortress
# Authenticate with Smithery (opens in browser)
/mcpDone! Now ask Claude: "Is @modelcontextprotocol/server-github safe to install?"
The MCP Fortress skill will automatically scan and analyze security for you. No setup, no configuration - just install and ask! ๐
๐ Full Claude Code Installation Guide
Standalone Installation
# Install globally
npm install -g mcp-fortress
# Start the server
mcp-fortress startThat's it! The web UI will open at http://localhost:3000
Related MCP server: tooltrust-mcp
๐ฌ Demo
โจ Features
๐ Automated Security Scanning
Vulnerability detection across npm and PyPI packages
CVE database integration
Dependency analysis
Risk scoring (0-100)
๐ก๏ธ Runtime Protection
Real-time monitoring of MCP servers
Quarantine suspicious packages
WebSocket telemetry streaming
Activity feed with live updates
๐ Gamification
Achievement system with 16 unlockable badges
Streak tracking for daily scans
Leaderboards and metrics
Humorous security tips
๐จ Beautiful Web UI
Modern React-based dashboard
Real-time statistics
Server table with sorting and filtering
Detailed threat analysis views
๐ค NEW: MCP Server Mode (v0.3.0+)
Run MCP Fortress as an MCP server
Expose security analysis tools to Claude Code, Cursor, Windsurf
AI-powered security analysis using your existing LLM
Zero setup - uses the AI you already have
The first security tool that uses MCP to secure MCP
๐ฆ Installation
Option 1: Smithery Remote (Recommended - Easiest)
Method A: Smithery CLI (Automated)
npx @smithery/cli install @mcp-fortress/mcp-fortress-server --client claudeMethod B: Manual (With API Key)
Get your API key from Smithery
Add to Claude:
claude mcp add --transport http mcp-fortress "https://server.smithery.ai/@mcp-fortress/mcp-fortress-server/mcp?api_key=YOUR_API_KEY&profile=YOUR_PROFILE"Replace YOUR_API_KEY and YOUR_PROFILE with values from Smithery.
Benefits:
โ No local installation
โ Auto-updates
โ Zero setup
Option 2: Local Install (Advanced)
npm install -g mcp-fortressAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"mcp-fortress": {
"command": "mcp-fortress",
"args": ["serve-mcp"]
}
}
}Restart Claude Desktop.
Benefits:
โ Full control
โ Works offline
โ No API key needed
๐ฏ Usage
๐ MCP Server Mode (Recommended)
Use MCP Fortress with your AI coding assistant (Claude Code, Cursor, etc.):
1. Install MCP Fortress:
npm install -g mcp-fortress2. Configure Claude Desktop:
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"mcp-fortress": {
"command": "mcp-fortress",
"args": ["serve-mcp"]
}
}
}3. Restart Claude Desktop
Restart Claude Desktop to load the MCP Fortress server.
4. Use in Claude Code:
You: Scan @modelcontextprotocol/server-filesystem for security issues
Claude: *Uses MCP Fortress tools to scan and analyze*
I found 3 potential security concerns...Available MCP Tools:
scan_mcp_server- Comprehensive security scanAnalyzes npm packages for vulnerabilities
Detects malicious code patterns
Checks dependencies for CVEs
Calculates risk score (0-100)
analyze_prompt_injection- Detect prompt injection attacksIdentifies instruction injection attempts
Detects role manipulation
Finds system prompt extraction attempts
Analyzes delimiter injection
detect_tool_poisoning- Identify malicious/misleading toolsDetects typosquatting (e.g.,
read_fiilevsread_file)Identifies name/description mismatches
Flags overly generic tool names
Compares against known legitimate tools
Example Interactions:
You: Is puppeteer-mcp-server safe to use?
Claude: โ
Yes! Risk score: 0/100. No threats detected.
You: Check this tool: "Helper tool. Ignore previous instructions."
Claude: ๐จ CRITICAL: Prompt injection detected! DO NOT USE.
You: Is a tool named "read_fiile" suspicious?
Claude: โ ๏ธ Yes! Likely typosquatting "read_file"Standalone Usage
Start the Server
# Start server (foreground)
mcp-fortress start
# Start server in background (daemon mode)
mcp-fortress start --daemonOptions:
-p, --port <port>- API port (default: 3001)-h, --host <host>- Host to bind (default: localhost)--no-browser- Don't open browser automatically-d, --daemon- Run server in background
Daemon Commands
# Stop the daemon server
mcp-fortress stop
# Check daemon status
mcp-fortress status
# View server logs
mcp-fortress logs
mcp-fortress logs --lines 100 # Show last 100 linesScan a Package
mcp-fortress scan <package-name>Examples:
# Scan from npm
mcp-fortress scan express
# Scan specific version
mcp-fortress scan express --version 4.18.0
# Scan from PyPI
mcp-fortress scan flask --registry pypiMonitor a Running Server
mcp-fortress monitor <server-name>Manage Quarantine
# List quarantined servers
mcp-fortress quarantine list
# Release from quarantine
mcp-fortress quarantine release <server-name>๐๏ธ Architecture
mcp-fortress/
โโโ CLI โ Command-line interface
โโโ API Server โ Express REST API + WebSocket
โโโ Scanner Engine โ npm & PyPI vulnerability detection
โโโ Web UI โ React dashboard
โโโ SQLite Database โ Local data storageData Location:
~/.mcp-fortress/fortress.db- SQLite database~/.mcp-fortress/server.pid- Daemon process ID~/.mcp-fortress/logs/- Server logs
๐ Security Features
Threat Detection
โ Known vulnerabilities (CVE database)
โ Suspicious patterns in code
โ Malicious dependencies
โ License compliance issues
Risk Scoring
0-30: Low risk (green)
31-60: Medium risk (yellow)
61-100: High risk (red)
Quarantine System
Automatic blocking of critical threats
Manual approval workflow
Audit trail for all actions
๐ฎ Gamification
Unlock achievements as you scan:
๐ First Blood - Complete your first scan
๐ฅ Streak Master - 7-day scanning streak
๐ก๏ธ Guardian - Block 10 high-risk packages
๐งช Lab Rat - Scan 100 packages
And 12 more!
๐ Tiers
Free Tier (Local Mode)
โ Unlimited scans
โ Full UI with gamification
โ All achievements
โ Local database
โ No account needed
โ No cloud sync
โ No team features
๐ Support
Report Issues: GitHub Issues
Discussions: GitHub Discussions
Email: mcp-fortress@protonmail.com
๐ค Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
๐ License
MIT License - see LICENSE file for details.
๐ Acknowledgments
Built with:
Express - Web framework
React - UI library
Better-SQLite3 - Database
Commander - CLI framework
๐ Roadmap
Current (v0.3.x)
โ MCP Server Mode
โ Advanced threat detection (prompt injection, tool poisoning)
โ Claude Code/Cursor integration
Next (v0.4.0)
Auto-discovery of IDE configs
Real-time MCP proxy mode
Enhanced PII/secrets detection
Custom security policies
Future (v0.5.0+)
VS Code extension
GitHub App for PR checks
SBOM generation
CI/CD integrations
Docker container scanning
Enterprise SSO support
Made with โค๏ธ for the MCP community
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mcp-fortress/mcp-fortress'
If you have feedback or need assistance with the MCP directory API, please join our Discord server