HN Showcase
Back to browse
GitHub Repository

Static pre-install security scanner for MCP (Model Context Protocol) servers — `npx mcpaudit <path>` flags command injection, credential/env exfiltration into LLM-visible output, over-broad filesystem/tool scope and dynamic eval before you wire a server into your agent.

4 starsJavaScript

Mcpaudit – static security scanner for MCP servers

by allenwu06·May 22, 2026·3 points·0 comments
Visit ProjectView on HN

AI Analysis

●●●BangerZero to OneSolve My Problem

First static analyzer for MCP servers catching command injection before you plug it in.

Strengths
  • Detects specific AI-agent risks like prompt injection via tool output and environment variable leakage.
  • Offline execution with SARIF output enables seamless integration into CI pipelines without API keys.
  • Baseline mode allows teams to accept current risks and fail only on new security regressions.
Weaknesses
  • Static analysis may miss dynamic runtime behaviors or obfuscated payloads in complex plugins.
  • Relies on the MCP ecosystem growing; if the protocol fades, the tool loses relevance.
Category
Security
Target Audience

Developers integrating Model Context Protocol servers into AI agents

Similar To

Semgrep · Bandit · TruffleHog

Similar Projects

Security●●Solid

MCP-scan – Security scanner for MCP server configs

First security scanner for MCP configs as the protocol gains adoption.

Niche GemShip It
AbanoubRodolf
102mo ago