Security●●Solid
MCPSec – OWASP MCP Top Scanner for Model Context Protocol Configs
First MCP security scanner addressing early Docker Hub moment—but audience is still nascent.
Solve My ProblemNiche Gem
iamdesertpaul
203mo ago
Back to browse
Open-source security scanner for MCP (Model Context Protocol) servers
by neuralweaves·Feb 19, 2026·2 points·0 comments
AI Analysis
●●SolidSolve My ProblemDark Horse
MCP-specific guardrails when Claude ecosystem lacks native security scanning.
Strengths
- •Targets a real, nascent problem: MCP servers ship with predictable vulns (hardcoded keys, eval, SQL concat)
- •Multi-output formats (SARIF, JSON, HTML, Markdown) + CI mode for pipeline integration
- •Zero friction: local, no signup, ~45ms latency, works on npm and PyPI
Weaknesses
- •Narrow niche: only relevant as MCP adoption grows; LLM Guard and others already do similar checks
- •Surface-level heuristics; semantic injection detection relies on optional Groq API calls
Category
Target Audience
AI/LLM engineers, MCP server developers
Similar To
LLM Guard · Lakera Guard · NeMo Guardrails
Post Description
MCP servers let AI assistants (Claude, Copilot, Cursor) interact with databases, APIs, and filesystems. I've been reviewing a lot of these — both open-source and internal — and keep finding the same issues: hardcoded API keys, eval() on user input, SQL injection via string concatenation, wildcard permissions, disabled TLS.
So I built a static analysis scanner specifically for MCP servers. It runs 7 analyzers (secrets, static code, prompt injection, SQL/command injection, permissions, network, dependencies) and takes ~45ms on a typical server.
Usage:
npx mcp-security-auditor scan ./my-mcp-server
No account, runs locally. Outputs text, JSON, SARIF (for GitHub Security tab), HTML, or Markdown. Has a CI mode that exits non-zero above a severity threshold.Available on both npm and PyPI. MIT licensed.
npm: https://www.npmjs.com/package/mcp-security-auditor PyPI: https://pypi.org/project/mcp-security-auditor/ Dev.to writeup with examples: https://dev.to/prabhu_raja_fe2261464cb8e/how-to-scan-your-mc...
Would love feedback on detection patterns — there are definitely gaps I haven't covered yet.
Similar Projects
Security●●●Banger
MCPHound MCP servers together, create attack paths solo scanners miss
Attack graph across MCP servers catches chains no single-server scanner finds; solves actual new problem.
Zero to OneBig BrainWizardry
tayler123
103mo ago
Security●●●Banger
Mcpaudit – static security scanner for MCP servers
First static analyzer for MCP servers catching command injection before you plug it in.
Zero to OneSolve My Problem
allenwu06
3023d ago
Security●●Solid
MCPShield – Supply chain security scanner for MCP servers
Think “Snyk for MCP configs”: Levenshtein-based typosquat detection, CVE lookups, hardcoded-credential scans and permission checks, plus CI-friendly exit codes. Auto-discovery for clients like Claude, Cursor and VS Code shows practical attention to workflows. It’s an early release — the value hinges on maintaining the package/CVE databases and tuning detection heuristics.
Niche GemShip It
ethanmizrahi
133mo ago
Security●●Solid
MCP Security Checklist – security controls for MCP server deployments
36 controls across MCP security domains, but is a checklist—not a tool, agent, or enforcement mechanism.
Solve My ProblemCozy
Siri_D
203mo ago
Security●●●Banger
Aguara – Security scanner for AI agent skills and MCP servers
Semgrep for AI agents—138 rules, offline, catches obfuscated attacks other scanners miss.
Solve My ProblemBig Brain
garagon
123mo ago