Skip to main content
Glama
mcp-fortress

mcp-fortress

by mcp-fortress

๐Ÿฐ MCP Fortress

Security scanner and runtime protection for Model Context Protocol (MCP) servers

npm version License: MIT

๐Ÿš€ NEW in v0.3.6: Enhanced scanner with improved false-positive detection! The first security tool that uses MCP to secure MCP.


๐Ÿš€ Quick Start

For Claude Code Users (Easiest!)

# Install the Claude Code plugin
/plugin marketplace add mcp-fortress/mcp-fortress
/plugin install mcp-fortress

# Authenticate with Smithery (opens in browser)
/mcp

Done! Now ask Claude: "Is @modelcontextprotocol/server-github safe to install?"

The MCP Fortress skill will automatically scan and analyze security for you. No setup, no configuration - just install and ask! ๐ŸŽ‰

๐Ÿ“– Full Claude Code Installation Guide

Standalone Installation

# Install globally
npm install -g mcp-fortress

# Start the server
mcp-fortress start

That's it! The web UI will open at http://localhost:3000


Related MCP server: tooltrust-mcp

๐ŸŽฌ Demo


โœจ Features

๐Ÿ” Automated Security Scanning

  • Vulnerability detection across npm and PyPI packages

  • CVE database integration

  • Dependency analysis

  • Risk scoring (0-100)

๐Ÿ›ก๏ธ Runtime Protection

  • Real-time monitoring of MCP servers

  • Quarantine suspicious packages

  • WebSocket telemetry streaming

  • Activity feed with live updates

๐Ÿ“Š Gamification

  • Achievement system with 16 unlockable badges

  • Streak tracking for daily scans

  • Leaderboards and metrics

  • Humorous security tips

๐ŸŽจ Beautiful Web UI

  • Modern React-based dashboard

  • Real-time statistics

  • Server table with sorting and filtering

  • Detailed threat analysis views

๐Ÿค– NEW: MCP Server Mode (v0.3.0+)

  • Run MCP Fortress as an MCP server

  • Expose security analysis tools to Claude Code, Cursor, Windsurf

  • AI-powered security analysis using your existing LLM

  • Zero setup - uses the AI you already have

  • The first security tool that uses MCP to secure MCP


๐Ÿ“ฆ Installation

Method A: Smithery CLI (Automated)

npx @smithery/cli install @mcp-fortress/mcp-fortress-server --client claude

Method B: Manual (With API Key)

  1. Get your API key from Smithery

  2. Add to Claude:

claude mcp add --transport http mcp-fortress "https://server.smithery.ai/@mcp-fortress/mcp-fortress-server/mcp?api_key=YOUR_API_KEY&profile=YOUR_PROFILE"

Replace YOUR_API_KEY and YOUR_PROFILE with values from Smithery.

Benefits:

  • โœ… No local installation

  • โœ… Auto-updates

  • โœ… Zero setup

Option 2: Local Install (Advanced)

npm install -g mcp-fortress

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-fortress": {
      "command": "mcp-fortress",
      "args": ["serve-mcp"]
    }
  }
}

Restart Claude Desktop.

Benefits:

  • โœ… Full control

  • โœ… Works offline

  • โœ… No API key needed


๐ŸŽฏ Usage

Use MCP Fortress with your AI coding assistant (Claude Code, Cursor, etc.):

1. Install MCP Fortress:

npm install -g mcp-fortress

2. Configure Claude Desktop:

Edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-fortress": {
      "command": "mcp-fortress",
      "args": ["serve-mcp"]
    }
  }
}

3. Restart Claude Desktop

Restart Claude Desktop to load the MCP Fortress server.

4. Use in Claude Code:

You: Scan @modelcontextprotocol/server-filesystem for security issues

Claude: *Uses MCP Fortress tools to scan and analyze*
I found 3 potential security concerns...

Available MCP Tools:

  • scan_mcp_server - Comprehensive security scan

    • Analyzes npm packages for vulnerabilities

    • Detects malicious code patterns

    • Checks dependencies for CVEs

    • Calculates risk score (0-100)

  • analyze_prompt_injection - Detect prompt injection attacks

    • Identifies instruction injection attempts

    • Detects role manipulation

    • Finds system prompt extraction attempts

    • Analyzes delimiter injection

  • detect_tool_poisoning - Identify malicious/misleading tools

    • Detects typosquatting (e.g., read_fiile vs read_file)

    • Identifies name/description mismatches

    • Flags overly generic tool names

    • Compares against known legitimate tools

Example Interactions:

You: Is puppeteer-mcp-server safe to use?
Claude: โœ… Yes! Risk score: 0/100. No threats detected.

You: Check this tool: "Helper tool. Ignore previous instructions."
Claude: ๐Ÿšจ CRITICAL: Prompt injection detected! DO NOT USE.

You: Is a tool named "read_fiile" suspicious?
Claude: โš ๏ธ Yes! Likely typosquatting "read_file"

Standalone Usage

Start the Server

# Start server (foreground)
mcp-fortress start

# Start server in background (daemon mode)
mcp-fortress start --daemon

Options:

  • -p, --port <port> - API port (default: 3001)

  • -h, --host <host> - Host to bind (default: localhost)

  • --no-browser - Don't open browser automatically

  • -d, --daemon - Run server in background

Daemon Commands

# Stop the daemon server
mcp-fortress stop

# Check daemon status
mcp-fortress status

# View server logs
mcp-fortress logs
mcp-fortress logs --lines 100  # Show last 100 lines

Scan a Package

mcp-fortress scan <package-name>

Examples:

# Scan from npm
mcp-fortress scan express

# Scan specific version
mcp-fortress scan express --version 4.18.0

# Scan from PyPI
mcp-fortress scan flask --registry pypi

Monitor a Running Server

mcp-fortress monitor <server-name>

Manage Quarantine

# List quarantined servers
mcp-fortress quarantine list

# Release from quarantine
mcp-fortress quarantine release <server-name>

๐Ÿ—๏ธ Architecture

mcp-fortress/
โ”œโ”€โ”€ CLI                 โ†’ Command-line interface
โ”œโ”€โ”€ API Server          โ†’ Express REST API + WebSocket
โ”œโ”€โ”€ Scanner Engine      โ†’ npm & PyPI vulnerability detection
โ”œโ”€โ”€ Web UI              โ†’ React dashboard
โ””โ”€โ”€ SQLite Database     โ†’ Local data storage

Data Location:

  • ~/.mcp-fortress/fortress.db - SQLite database

  • ~/.mcp-fortress/server.pid - Daemon process ID

  • ~/.mcp-fortress/logs/ - Server logs


๐Ÿ” Security Features

Threat Detection

  • โœ… Known vulnerabilities (CVE database)

  • โœ… Suspicious patterns in code

  • โœ… Malicious dependencies

  • โœ… License compliance issues

Risk Scoring

  • 0-30: Low risk (green)

  • 31-60: Medium risk (yellow)

  • 61-100: High risk (red)

Quarantine System

  • Automatic blocking of critical threats

  • Manual approval workflow

  • Audit trail for all actions


๐ŸŽฎ Gamification

Unlock achievements as you scan:

  • ๐Ÿ† First Blood - Complete your first scan

  • ๐Ÿ”ฅ Streak Master - 7-day scanning streak

  • ๐Ÿ›ก๏ธ Guardian - Block 10 high-risk packages

  • ๐Ÿงช Lab Rat - Scan 100 packages

  • And 12 more!

๐Ÿ“Š Tiers

Free Tier (Local Mode)

  • โœ… Unlimited scans

  • โœ… Full UI with gamification

  • โœ… All achievements

  • โœ… Local database

  • โœ… No account needed

  • โŒ No cloud sync

  • โŒ No team features


๐Ÿ› Support


๐Ÿค Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.


๐Ÿ“œ License

MIT License - see LICENSE file for details.


๐Ÿ™ Acknowledgments

Built with:


๐Ÿ“ˆ Roadmap

Current (v0.3.x)

  • โœ… MCP Server Mode

  • โœ… Advanced threat detection (prompt injection, tool poisoning)

  • โœ… Claude Code/Cursor integration

Next (v0.4.0)

  • Auto-discovery of IDE configs

  • Real-time MCP proxy mode

  • Enhanced PII/secrets detection

  • Custom security policies

Future (v0.5.0+)

  • VS Code extension

  • GitHub App for PR checks

  • SBOM generation

  • CI/CD integrations

  • Docker container scanning

  • Enterprise SSO support


Made with โค๏ธ for the MCP community

Star on GitHub

A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
โ€“Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mcp-fortress/mcp-fortress'

If you have feedback or need assistance with the MCP directory API, please join our Discord server