npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@agentdefenders/mcp-scan

v0.5.0-alpha

Published

MCP supply chain scanner - detect tool poisoning, prompt injection, and shadowing attacks

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

maruthiprithivimaruthiprithivi

Keywords

mcpsecurityscannerai-agentsupply-chaintool-poisoningprompt-injectionllmmodel-context-protocolowasp

Readme

@agentdefenders/mcp-scan

Security scanner for Model Context Protocol (MCP) server configurations. Detects tool poisoning, prompt injection, shadowing attacks, and known threats.

npm version npm downloads license node

MCP servers extend AI agents with powerful tool-use capabilities, but they also introduce a new attack surface. A compromised or malicious MCP server can exfiltrate data, override agent behavior, or act as a supply chain backdoor. @agentdefenders/mcp-scan analyzes your MCP configurations and flags security issues before they reach production.

All analysis runs locally on your machine. No data is transmitted to any external service. If you want dashboard integration and historical tracking, you can optionally provide --api-key to sync results with AgentDefenders Shield.

Quick Start

npx @agentdefenders/mcp-scan

The scanner auto-detects MCP client configurations across 11 supported clients and analyzes all registered servers.

Example Output

@agentdefenders/mcp-scan v0.2.2-alpha

Scanning MCP configurations...
Found 2 servers across 1 client configuration.

--- filesystem-server ---
  Source: claude_desktop_config.json
  Command: npx -y @modelcontextprotocol/server-filesystem /home/user/projects
  Tools: 11 detected
  Analyzers: 5/5 passed
  Grade: A

--- data-pipeline-mcp ---
  Source: claude_desktop_config.json
  Command: npx -y data-pipeline-mcp@latest
  Tools: 4 detected
  Findings:
    [HIGH] tool-poisoning: Tool "run_query" description contains hidden
           instruction that overrides agent behavior. The phrase "ignore
           previous instructions" was detected in the tool description.
    [LOW]  suspicious-env: Tool "connect" requests access to DATABASE_URL
           environment variable.
  Grade: D

Summary
  Servers scanned: 2
  Total findings:  2 (1 high, 0 medium, 1 low)
  Clean servers:   1
  Flagged servers: 1

Supported MCP Clients

| Client | macOS | Linux | Windows | |---|---|---|---| | Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json | ~/.config/Claude/claude_desktop_config.json | %APPDATA%\Claude\claude_desktop_config.json | | Cursor | ~/.cursor/mcp.json | ~/.cursor/mcp.json | %APPDATA%\Cursor\mcp.json | | VS Code | ~/Library/Application Support/Code/User/mcp.json | ~/.config/Code/User/mcp.json | %APPDATA%\Code\User\mcp.json | | Windsurf | ~/Library/Application Support/Windsurf/User/globalStorage/windsurf.mcp/config.json | ~/.config/Windsurf/User/globalStorage/windsurf.mcp/config.json | %APPDATA%\Windsurf\User\globalStorage\windsurf.mcp\config.json | | Gemini CLI | ~/.gemini/settings.json | ~/.gemini/settings.json | %USERPROFILE%\.gemini\settings.json | | Cline | ~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json | ~/.config/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json | %APPDATA%\Code\User\globalStorage\saoudrizwan.claude-dev\settings\cline_mcp_settings.json | | JetBrains / Junie | ~/.junie/mcp/mcp.json | ~/.junie/mcp/mcp.json | %USERPROFILE%\.junie\mcp\mcp.json | | Continue.dev | ~/.continue/config.yaml | ~/.continue/config.yaml | %USERPROFILE%\.continue\config.yaml | | Google Antigravity | ~/.gemini/antigravity/mcp_config.json | ~/.gemini/antigravity/mcp_config.json | %USERPROFILE%\.gemini\antigravity\mcp_config.json | | Zed | ~/.zed/settings.json | ~/.config/zed/settings.json | %APPDATA%\Zed\settings.json | | Amazon Q Developer | ~/.aws/amazonq/default.json | ~/.aws/amazonq/default.json | %USERPROFILE%\.aws\amazonq\default.json |

You can also point to a specific config file with --config <path>.

Security Analyzers

| Analyzer | Description | |---|---| | tool-poisoning | Detects hidden instructions in tool descriptions that attempt to override agent behavior or exfiltrate data. | | prompt-injection | Identifies prompt injection patterns in server metadata, tool names, and parameter schemas. | | shadowing | Flags tools that shadow or redefine built-in tool names, potentially hijacking agent actions. | | suspicious-env | Reports tools that request access to sensitive environment variables (credentials, tokens, keys). | | known-threats | Checks server packages against a curated database of known-malicious MCP servers. |

Output Formats

The default output is a human-readable console report. For automation, use structured formats:

# JSON output
npx @agentdefenders/mcp-scan --format json

# SARIF output (for GitHub Code Scanning and other SARIF consumers)
npx @agentdefenders/mcp-scan --format sarif

CI/CD Integration

Add MCP configuration scanning to your CI pipeline. The --ci flag outputs GitHub Actions annotations, writes a markdown step summary, and defaults to --fail-on high.

GitHub Actions (recommended)

- name: Scan MCP configurations
  run: npx @agentdefenders/mcp-scan --ci

This will:

  • Print findings as ::error:: / ::warning:: annotations in the Actions log
  • Write a markdown summary to the job summary tab
  • Exit with code 1 if any HIGH or CRITICAL findings are detected

GitHub Actions with SARIF upload

- name: Scan MCP configurations
  run: npx @agentdefenders/mcp-scan --format sarif --fail-on high > mcp-scan.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: mcp-scan.sarif

Other CI platforms

npx @agentdefenders/mcp-scan --quiet --fail-on high

CLI Reference

| Flag | Description | Default | |---|---|---| | --config <path> | Path to a specific MCP client configuration file. | Auto-detect | | --format <type> | Output format: console, json, sarif. | console | | --fail-on <severity> | Exit with code 1 if any finding meets or exceeds severity: low, medium, high, critical. | Disabled (high in CI mode) | | --ci | CI mode: GitHub Actions annotations, step summary, no prompts. Implies --quiet. | Disabled | | --api-key <key> | AgentDefenders API key for dashboard sync. Enables remote result storage. | None | | --watch | Continuously monitor configuration files for changes and re-scan on modification. | Disabled | | --interval <seconds> | Polling interval in seconds when using --watch. | 30 | | --quiet | Suppress all output except findings and errors. | Disabled | | --badge | Generate a shield badge URL for your project README. | Disabled |

Privacy

All analysis runs locally on your machine. No data is sent to any external service unless you explicitly provide --api-key for dashboard integration.

Links

License

MIT