mcp-scan is an open-source security scanner for Model Context Protocol (MCP) server configurations. It detects leaked secrets, prompt injection risks, supply-chain vulnerabilities, and misconfigurations across Claude Desktop, VS Code, Cursor, Windsurf, and 17+ AI tool clients.

How do I run mcp-scan?

Run `npx mcp-scan@latest` in your terminal. No installation required. It automatically detects and scans all AI tool configurations on your system.

Yes. mcp-scan is completely free and open-source under the MIT license. It has zero telemetry and collects no data.

Which AI tools does mcp-scan support?

mcp-scan supports 17+ AI tool clients including Claude Desktop, VS Code, Cursor, Windsurf, Cline, Zed, Continue, Gemini CLI, Codex CLI, Claude Code, and more.

What security checks does mcp-scan perform?

mcp-scan runs 16 scanners with 17+ security checks across secret detection, prompt injection scanning, supply chain risk analysis, typosquatting detection, data flow analysis, network egress monitoring, and compliance mapping (SOC 2, GDPR, HIPAA).

Open Source · Security

mcp-scan

Security scanner for MCP servers

terminal — mcp-scan

View on GitLab →Preview hosted report Need a human review?

Start here in under a minute

Choose the path that matches your MCP risk right now.

The page is long because it serves different buyer types. This strip removes the guesswork before you go deeper.

Routing path

Check rollout risk in under a minute

Best when you are not sure whether the next move should stay self-serve, become a hosted artifact, or jump straight into a paid founder review.

Run MCP calculator

Product path

Preview the hosted report artifact

Best when you need a cleaner summary than raw terminal output and want to see what the weekend product can realistically become.

Preview hosted report

Paid path

Reserve the 48-hour MCP Risk Review

Best when rollout is close, permissions are sensitive, and a fast human decision is worth more than reading scanner output alone.

Reserve MCP review

Revenue bridge

Free scan first. Human review when the MCP risk is real.

mcp-scan should not stay proof-only. The fastest commercial path is to let teams self-serve the free scan, then route higher-stakes buyers into a paid MCP risk review or the future hosted Pro product.

Paid next step

48-hour MCP Risk Review

Best for teams that already know MCP is entering a real workflow and want a human to verify whether the current setup is safe enough to ship.

$3K fixed scope48 hours turnaround

48-hour manual review of MCP configs, tool permissions, and obvious exposure paths

Prioritized remediation memo across secrets, prompt injection, supply chain, and network egress risk

Clear decision: safe to proceed, fix before rollout, or escalate into a deeper Technical Audit

Reserve MCP Risk Review Book MCP Risk Review fit call Request async risk review

Reserve the narrow lane if the MCP problem is already clear. If direct checkout is not enabled, the reserve path falls back to the fit-call flow. If the risk is broader than one MCP decision, escalate into a Technical Audit instead of forcing this fixed-scope review. See the full lane details.

Weekend product path

Join the mcp-scan Pro waitlist

Hosted reports, policy packs, and buyer-friendly risk summaries are the most credible product extension because they build directly on top of the free scanner instead of inventing a new market.

Free scan for self-serve teams

Human review for higher-stakes environments

Pro waitlist for hosted reports and policy packs

Get early access to mcp-scan Pro

If you want hosted MCP reports, policy-ready exports, or a buyer-safe security summary, leave your details with enough context to judge whether you should get the hosted product first or the 48-hour human review first.

What the weekend product can ship

Show the report artifact before asking for the waitlist.

The hosted Pro layer should feel tangible. This preview is the buyer-safe artifact: a decision summary, the highest-risk findings, and the export shape a team can share internally without turning raw scanner output into a manual report.

sample hosted report

MCP rollout summary

Fix before rollout

DecisionFix before rollout

Affected surfaces2 MCP servers

Export bundleSummary + policy notes

Best pathPro report or 48h review

Filesystem connector can exfiltrate secretsHIGH

A shell-capable connector can read local secrets and reach an external host with no approval boundary.

shortest safe next step

Restrict permissions, pin the server source, and block unrestricted egress before rollout.

Unverified package origin in MCP server chainMEDIUM

The server definition points to a package path that is not pinned to a trustworthy release boundary.

shortest safe next step

Pin the package source and record a known-good version before teammates reuse it.

Prompt boundary missing on high-trust toolMEDIUM

One tool can receive unconstrained instructions without a clear human-review checkpoint.

shortest safe next step

Add a review gate and narrow the tool contract before connecting it to sensitive workflows.

What ships in Pro

A cleaner artifact than a raw CLI paste.

Executive summary that a founder or security lead can read in under 3 minutes

Findings grouped by severity, blast radius, and shortest safe next step

Policy-ready notes you can hand to engineering without rewriting the scanner output

Shareable artifact that feels safer than pasting raw terminal logs into Slack

Best first buyers

Founders trying to decide whether to unblock rollout now or slow down

Security or platform leads who need a buyer-safe summary, not just raw CLI output

Teams comparing a lightweight hosted report against the 48-hour human review lane

Honest boundary

The hosted Pro layer should package the artifact. The founder-led 48-hour MCP Risk Review should stay available for buyers who need judgment, not just a clean report.

Request early access Need the human review instead?

Defense in Depth

16 scanners. 17+ AI tool clients. One command.

mcp-scan provides a unified security layer for the Model Context Protocol ecosystem. Run it locally or integrate with your CI/CD pipeline.

mcp-scan — live scan

Data Flow

Claude Code

Cursor

VS Code

mcp
scan

✓ 0 issues

✗ 2 issues

Live Scan

How it works

Three steps to secure your AI tools

Install

npm install -g mcp-scan or run instantly with npx — no setup required.

Scan

Automatically detects Claude, Cursor, VS Code, and 17+ AI tool clients.

Fix

Detailed findings with severity levels and remediation steps.

16 Specialized Scanners

v1.7.5

HIGH

Secrets Detection

Entropy-based scanning for API keys and tokens.

HIGH

CVE Scanner

Cross-references dependencies against known vulnerabilities.

HIGH

Prompt Injection

Analyzes prompts for potential injection vectors.

HIGH

Tool Poisoning

Detects malicious tool definitions and schemas.

HIGH

Shell Injection

Detects unescaped inputs in shell-capable servers.

MEDIUM

Supply Chain

Verifies the trust chain of connected MCP servers.

MEDIUM

Typosquatting

Detects suspicious server names mimicking official packages.

MEDIUM

Permissions

Audits requested capabilities (filesystem, network, shell).

MEDIUM

Env Leakage

Prevents exposure of sensitive environment variables.

LOW

AST Analysis

Deep static analysis of server source code.

LOW

Transport Security

Enforces TLS and secure communication protocols.

LOW

Registry Trust

Validates servers against known-good MCP registries.

LOW

License Compliance

Scans for incompatible or risky open-source licenses.

MEDIUM

Network Egress

Flags suspicious outbound connections, obfuscated URLs, and raw IPs.

MEDIUM

Data Flow

Traces sensitive data movement from local sources to external sinks.

MEDIUM

Data Controls

Audits PII handling, retention gaps, and privacy control coverage.

17+ AI Tool Client Support

mcp-scan works across desktop apps, editors, CLIs, and coding tools that expose Model Context Protocol configurations.

Claude Desktop

Claude Code

Cursor

VS Code

Windsurf

Zed

Gemini CLI

Codex CLI

Continue.dev

Amp

Plandex

ChatGPT Desktop

GitHub Copilot

Cline

Roo Code

Kiro

Warp

CI/CD Ready

SARIF & GitHub Actions Integration

Includes a GitHub Action for automated pull request scanning. Outputs SARIF 2.1.0 for native integration with GitHub Advanced Security and other security dashboards.

SARIF 2.1.0GitHub Advanced Security

.github/workflows/security.yml

- name: MCP Security Scan
  uses: rodolfboctor/mcp-scan@v1
  with:
    fail-on-severity: high
    output-format: sarif
    upload-sarif: true

v1.8.0 · MIT LICENSE

Secure by default. Open by design.

mcp-scan is free, open source, and built for the community. Zero telemetry. No vendor lock-in. 136 tests passed. Integrated with the ugig.net MCP marketplace.

16Scanners

136Tests

17+AI Tools

rodolfboctor/mcp-scanMIT Licensed Open Source

Star on GitLab View Repo

npm install -g mcp-scan

npx mcp-scan

Works with

Claude DesktopClaude CodeCursorVS CodeWindsurfZedGemini CLICodex CLIContinue.devAmpPlandexChatGPT DesktopGitHub CopilotClineRoo CodeKiroWarpClaude DesktopClaude CodeCursorVS CodeWindsurfZedGemini CLICodex CLIContinue.devAmpPlandexChatGPT DesktopGitHub CopilotClineRoo CodeKiroWarp

Secured by mcp-scan · Trusted by AI Builders

Secure by default. Open by design.

mcp-scan is free, open source, and built for the community. Zero telemetry. No vendor lock-in. 136 tests passed. Integrated with the ugig.net MCP marketplace.

16Scanners

136Tests

17+AI Tools

rodolfboctor/mcp-scanMIT Licensed Open Source

Star on GitLab View Repo

npm install -g mcp-scan

npx mcp-scan

Works with

Secured by mcp-scan · Trusted by AI Builders