npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mcp-security-auditor

v1.0.2

Published

Security scanner for MCP (Model Context Protocol) servers. Detect vulnerabilities, secrets, injection risks, and misconfigurations before deployment.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

prabhuraja11prabhuraja11

Keywords

mcpmodel-context-protocolsecurityauditscannervulnerabilityaillmclaudecopilotcursordevsecopssastsecrets-detectionprompt-injectionci-cd

Readme

🛡️ MCP Security Auditor

Security scanner for MCP (Model Context Protocol) servers. Detect vulnerabilities, hardcoded secrets, injection risks, and misconfigurations before deployment.

Works with TypeScript, JavaScript, and Python MCP servers built with any framework (official MCP SDK, FastMCP, etc).

npx mcp-security-auditor scan ./my-mcp-server

Why?

MCP servers give AI assistants (Claude, Copilot, Cursor) access to databases, APIs, filesystems, and more. A single misconfigured server can expose your entire infrastructure. This tool catches security issues before they reach production.

Quick Start

Zero install — scan any MCP server:

npx mcp-security-auditor scan ./my-mcp-server

Or install globally:

npm install -g mcp-security-auditor
mcp-audit scan ./my-mcp-server

What It Detects

| Analyzer | What It Finds | |----------|--------------| | secrets | API keys, passwords, tokens, private keys, AWS/GitHub/OpenAI/Anthropic credentials | | static | eval(), exec(), command execution, unsafe deserialization, file system writes | | injection | Prompt injection, SQL injection, template injection, NoSQL injection | | permissions | Wildcard permissions, missing auth, root filesystem access, disabled security | | network | Insecure HTTP, SSRF, TLS bypass, CORS wildcard, binding to all interfaces | | config | Debug mode, stack trace exposure, missing .env templates, hardcoded ports | | dependencies | Wildcard versions, typosquatting, missing lockfiles, suspicious packages |

Output Formats

# Terminal (default, with colors)
mcp-audit scan ./server

# HTML report (shareable, dark theme)
mcp-audit scan ./server -f html -o report.html

# JSON (programmatic use)
mcp-audit scan ./server -f json -o results.json

# SARIF (GitHub Security, Azure DevOps)
mcp-audit scan ./server -f sarif -o results.sarif

# Markdown (docs, README badges)
mcp-audit scan ./server -f markdown -o report.md

CI/CD Integration

GitHub Actions

name: MCP Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx mcp-security-auditor ci . --fail-on high -o results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: results.sarif

GitLab CI

mcp-security:
  script:
    - npx mcp-security-auditor ci . --fail-on high -f json -o mcp-audit.json
  artifacts:
    reports:
      security: mcp-audit.json

Azure DevOps

- script: npx mcp-security-auditor ci . --fail-on high -f sarif -o $(Build.ArtifactStagingDirectory)/mcp-audit.sarif
  displayName: 'MCP Security Scan'

Pre-commit Hook

# .git/hooks/pre-commit
npx mcp-security-auditor ci . --fail-on critical

CLI Reference

mcp-audit scan <path>           Scan an MCP server directory
mcp-audit ci <path>             CI/CD mode (SARIF, exits non-zero on findings)
mcp-audit analyzers             List available analyzers
mcp-audit --version             Show version

Options:
  -f, --format <format>         text | json | sarif | html | markdown
  -o, --output <file>           Write report to file
  --fail-on <severity>          Exit 1 if findings >= severity (critical|high|medium|low)
  -a, --analyzers <list>        Run specific analyzers (comma-separated)
  -V, --verbose                 Detailed scan progress
  --no-color                    Disable colors

Programmatic API

import { scan, generateReport } from "mcp-security-auditor";

const result = scan({ path: "./my-mcp-server", format: "json" });

console.log(`Found ${result.summary.total} issues`);
console.log(`Critical: ${result.summary.critical}`);

// Generate HTML report
const html = generateReport(result, "html");

Supported MCP Frameworks

  • @modelcontextprotocol/sdk (Official TypeScript SDK)
  • FastMCP (Python)
  • mcp-python-sdk (Official Python SDK)
  • Any custom MCP server implementation

Example Output

╔══════════════════════════════════════════════════════╗
║         MCP Security Auditor - Scan Report          ║
╚══════════════════════════════════════════════════════╝

Server:    my-mcp-server v1.0.0
Language:  typescript
Framework: mcp-sdk
Transport: stdio
Tools:     3 detected [query_db, write_file, run_command]
Files:     12 source files scanned
Duration:  45ms

Summary: 8 findings
  🔴 Critical: 2
  🟠 High:     3
  🟡 Medium:   2
  🔵 Low:      1

─── Findings ───────────────────────────────────────────

 CRITICAL  Hardcoded API Key  [secrets-api-key]
  API key found hardcoded in source code. Use environment variables instead.
  at src/config.ts:15
  CWE: CWE-798

 HIGH  Use of eval()  [static-eval]
  eval() executes arbitrary code and is a major security risk.
  at src/handler.ts:42
  CWE: CWE-95

Also Available on PyPI

pip install mcp-security-auditor
mcp-audit scan ./my-mcp-server

Contributing

Issues and PRs welcome! See CONTRIBUTING.md.

License

MIT