GitHub Repository

Discover and audit MCP servers for security vulnerabilities across Claude Code, Cursor, VS Code, and more

7 starsGo

Golf Scanner – OSS tool to find and audit every MCP server

Name: Golf Scanner – OSS tool to find and audit every MCP server
Availability: InStock
Author: antonig

by antonig·Mar 8, 2026·3 points·0 comments

Visit Project View on HN

AI Analysis

●●●BangerSolve My ProblemBig Brain

Closes the MCP server discovery gap that shadow-IT has made critical.

Strengths

•Tackles a genuine gap: MCP discovery/audit didn't exist before — solves real shadow-IT risk for agents.
•20-check battery spanning offline (command injection, credentials) and online (OSV, npm, PyPI, OCI) signals.
•Single Go binary, zero telemetry, runs offline—enterprise security team trust-builder.

Weaknesses

•Limited to 7 IDEs; coverage gaps if engineers use unlisted tools or custom setups.
•Risk scoring methodology not detailed; unclear how severity weights and hard caps are calibrated.

Post Description

Hey HN, I'm Antoni, CTO and cofounder of Golf (YC X25). We're open-sourcing our MCP server scanner: a single Go binary that discovers every MCP server configured across your IDEs and runs security checks against each one. Just `brew install golf-mcp/tap/golf-scanner && golf-scanner audit`.

We built this because we kept seeing the same thing at companies we work with: engineers install MCP servers in 30 seconds: connect Cursor to a production database, give Claude Code access to internal APIs, spin up an MCP server for Jira. And nobody on the security side knows it happened. There's no discovery mechanism. It's shadow IT, except now the "user" is an autonomous agent making tool calls on its own.

When you run `golf-scanner audit`, it scans your IDE and AI tool configs (user-level and per-project), identifies every MCP server, classifies each one by transport type, and runs ~15 security checks: command injection patterns in server args, hardcoded credentials, dangerous container configurations, script and binary permission issues, and known vulnerabilities via OSV for npm/PyPI packages. Everything is pure Go, single static binary. It produces a 0-100 risk score per server with severity-weighted findings.

The thing that motivated us to build this, and what we think the industry is getting wrong more broadly: most "AI security" tooling is actually LLM security: prompt injection detection, output filtering, guardrails on the model API layer. That protects one layer. But when someone connects Cursor to a production database via MCP, the risk isn't what the model says… it's what the agent does. The tool calls, the data access, the system connections happening downstream of the LLM. Your LLM guardrails won’t protect any of that. It's like putting a firewall on your CDN and calling your database secured. The threat model for an MCP-connected agent is closer to an unmanaged service account than a SaaS app. That's a fundamentally different security problem.

The scanner is one piece of Golf, our commercial product, an enterprise MCP control plane for managing agent tool access across your org. The platform runs the same scanner across your fleet via MDM, adds deeper checks (deep analysis of server source code for local servers, capabilities analysis for remote ones, rug-pull detection, toxic tool combinations etc.), and ties everything into a centralized inventory with access policies, PII scrubbing, and SIEM forwarding. Then you route all approved servers though our gateway to close the loop.

But if you just want to know "what MCP servers are on my machine and which ones look sketchy," that's the free tool.

brew install golf-mcp/tap/golf-scanner golf-scanner audit

I'd genuinely love to hear from enterprise folks: How are you thinking about securing MCP servers and agent tool access today? What's missing from the current tooling?