@phoenixaihub/mcp-security-scanner
v0.1.0
Published
Security scanner for MCP servers — detect vulnerabilities, CVEs, and attack vectors
Maintainers
phoenixaihubReadme
MCP Security Scanner
Security scanner for MCP servers — detect vulnerabilities, CVEs, and attack vectors before they're exploited.
MCP has 10K+ servers, 97M+ downloads, and 30+ CVEs in the last few months. Zero tooling existed to actively probe MCP servers for known vulnerabilities — until now.
mcpsec connects to any MCP server (stdio or SSE), runs 9 security checks across 7 attack categories, and produces actionable reports in text, JSON, or SARIF format for CI/CD integration.
Why This Exists
The MCP ecosystem is growing faster than its security posture. Known attack vectors include:
- Tool Poisoning — Hidden instructions in tool descriptions that manipulate AI models (Invariant Labs)
- Path Traversal — Tools that read arbitrary files (SSH keys, credentials, configs)
- SSRF — Tools tricked into accessing cloud metadata, internal services
- Rug Pulls — Servers that change behavior after gaining trust
- Cross-Tenant Leaks — Insufficient session isolation between users
Existing tools (Snyk Agent Scan) focus on static analysis of tool descriptions. MCP Security Scanner actively probes servers — it calls tools with adversarial inputs and analyzes responses.
Quick Start
# Install globally
npm install -g @phoenixaihub/mcp-security-scanner
# Scan a stdio MCP server
mcpsec scan npx @some/mcp-server
# Scan with specific command and args
mcpsec scan --command node --args server.js
# Scan an SSE server
mcpsec scan --url http://localhost:3000/sse
# Output SARIF for CI/CD
mcpsec scan npx @some/mcp-server --sarif -o results.sarif
# Output JSON
mcpsec scan npx @some/mcp-server --jsonSecurity Checks
| Check | Category | What It Does |
|-------|----------|-------------|
| Tool Poisoning | tool-poisoning | Detects hidden instructions, suspicious params, encoding tricks, zero-width chars |
| Path Traversal | path-traversal | Probes file-access tools with ../ payloads, checks for sensitive file leaks |
| SSRF | ssrf | Tests URL-accepting tools against cloud metadata, internal IPs, protocol handlers |
| Prompt Injection | prompt-injection | Sends injection payloads through string params, checks for system prompt leaks |
| Permission Escalation | permission-escalation | Tests for shell injection, detects tools with exec/write capabilities |
| Data Exfiltration | data-exfiltration | Identifies tools that can both read data and send it externally |
| Rug Pull | rug-pull | Detects dynamic tool registration, remote configs, mutable descriptions |
| CVE Matching | cve-match | Checks against 10+ known MCP CVEs and security advisories |
| Cross-Tenant | cross-tenant | Tests IDOR via user/tenant ID params, checks for auth mechanisms |
Output Formats
Text (default)
╔══════════════════════════════════════════════════════╗
║ MCP Security Scanner Report ║
╚══════════════════════════════════════════════════════╝
Target: @example/mcp-server
Server: example-server v1.0.0
Tools: 5
Security Score: 45/100
████████████░░░░░░░░ 45%
[CRITICAL] Hidden <IMPORTANT> instruction block in tool "add"
Tool: add
CWE: CWE-94
Fix: Remove hidden instructions from tool descriptions.SARIF (CI/CD)
mcpsec scan npx @some/server --sarif -o results.sarifCompatible with GitHub Code Scanning, Azure DevOps, and any SARIF consumer.
JSON
mcpsec scan npx @some/server --jsonCVE Database
Ships with a curated database of MCP-specific CVEs and security advisories.
# List all known CVEs
mcpsec cve list
# Search CVEs
mcpsec cve search "tool poisoning"
# Get CVE details
mcpsec cve info CVE-2025-49596Configuration Discovery
Auto-discovers MCP server configurations from Claude Desktop, Cursor, VS Code, Windsurf, Claude Code, and OpenClaw:
mcpsec configCI/CD Integration
GitHub Actions
- name: Scan MCP Server
run: |
npx @phoenixaihub/mcp-security-scanner scan \
npx @your/mcp-server \
--sarif -o results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifExit Codes
0— No critical or high findings1— Critical or high findings detected2— Scan error
Advanced Usage
# Run specific checks only
mcpsec scan npx @some/server --checks tool-poisoning ssrf
# Skip certain checks
mcpsec scan npx @some/server --skip cve-match
# Set minimum severity
mcpsec scan npx @some/server --severity high
# Custom timeout per check
mcpsec scan npx @some/server --timeout 60000
# Pass environment variables to the server
mcpsec scan --command node --args server.js --env API_KEY=test DB_URL=localhostProgrammatic API
import { Scanner } from '@phoenixaihub/mcp-security-scanner';
const scanner = new Scanner({
transport: 'stdio',
command: 'npx',
args: ['@some/mcp-server'],
format: 'json',
severity: 'info',
timeout: 30000,
});
const result = await scanner.scan();
console.log(`Score: ${result.score}/100`);
console.log(`Findings: ${result.findings.length}`);How It Differs from Snyk Agent Scan
| Feature | MCP Security Scanner | Snyk Agent Scan | |---------|---------------------|-----------------| | Approach | Active probing + static analysis | Static analysis only | | Path traversal | Sends actual payloads | ✗ | | SSRF testing | Tests cloud metadata, internal IPs | ✗ | | Shell injection | Active testing | ✗ | | SARIF output | ✓ | ✗ | | CVE database | Bundled, MCP-specific | ✗ | | Language | TypeScript/Node.js | Python | | CI/CD native | Exit codes + SARIF | ✗ | | Tool poisoning | ✓ (pattern matching) | ✓ (LLM-based) | | Zero LLM dependency | ✓ | Requires API key |
Architecture
┌─────────────┐ ┌──────────────┐ ┌─────────────────┐
│ CLI/API │────▶│ Scanner │────▶│ Security Checks │
└─────────────┘ └──────────────┘ └─────────────────┘
│ │
┌─────▼─────┐ ┌──────▼──────┐
│ MCP Client │ │ CVE Database│
└───────────┘ └─────────────┘
│
┌─────▼─────┐
│ MCP Server │
│ (target) │
└───────────┘Contributing
See CONTRIBUTING.md.
License
MIT — see LICENSE.
Security
If you discover a security vulnerability in this tool, please report it responsibly via GitHub Security Advisories.