npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

mcp-security-linter

v1.4.2

Published

Static analysis tool for MCP repository security vulnerabilities

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

fonckifoncki

Keywords

mcpsecuritylinterstatic-analysisgithub-actionmodel-context-protocolai-detectionsecurity-scannercode-analysisvulnerability-scanner

Readme

MCP Security Linter

npm version npm downloads License: MIT

Static analysis tool for Model Context Protocol (MCP) repository security vulnerabilities.

Overview

This linter implements 3 of the 5 security checks recommended by Anthropic for MCP servers. It uses advanced static analysis (taint tracking, control flow analysis) to detect vulnerabilities with high precision and low false positives.

Features

Currently Implemented (Advanced Analysis)

  1. Dangerous Command Execution Detection

    • Technique: Recursive Taint Analysis
    • Detects: Command injection via exec, spawn, eval, vm.runInContext.
    • Capabilities: Tracks untrusted input (process.env, function args) through variable assignments, string concatenation, and template literals.
    • Safety: Ignores safe hardcoded commands (e.g., exec('ls -la')).

  2. Token Passthrough Detection

    • Technique: Iterative Taint Analysis (Fixpoint)
    • Detects: Sensitive data (API keys, secrets) passed to logging functions or external network requests.
    • Capabilities: Tracks secrets through complex data flows, including object/array wrapping and ternary operators.
    • Scope: Respects variable scope and shadowing.

  3. Unauthenticated Endpoints Detection

    • Technique: Middleware Stack Simulation
    • Detects: API endpoints exposed without authentication middleware.
    • Capabilities: Understands app.use() order, router mounting hierarchies, and route-specific middleware.

Missing / Planned Analyzers (Anthropic Recommendations)

The following 2 recommended checks are not yet implemented:

  1. OAuth Hygiene Checker
    • Goal: Ensure proper handling of OAuth tokens and scopes.
  2. Argument Validation
    • Goal: Verify that all user inputs are validated before use.

Installation

From NPM (Recommended)

Install globally to use the CLI anywhere:

npm install -g mcp-security-linter

Or add to your project as a dev dependency:

npm install --save-dev mcp-security-linter

Then run:

mcp-lint .                              # Scan current directory
mcp-lint src/ --format json             # Scan src/ with JSON output
mcp-lint --config custom-config.json    # Use custom config

As a GitHub Action

Step 1: Create the workflow directory

In your repository, create the directory structure (if it doesn't exist):

mkdir -p .github/workflows

Step 2: Create a workflow file

Create a new file .github/workflows/mcp-security.yml (you can name it anything ending in .yml):

name: MCP Security Check

on: [push, pull_request]

jobs:
  security-lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: fonCki/mcp-security-linter@master
        with:
          path: '.'
          fail-on-warnings: true

Step 3: Commit and push

git add .github/workflows/mcp-security.yml
git commit -m "Add MCP security linter workflow"
git push

The action will now run automatically on every push and pull request!

For Contributors

If you want to contribute to development:

git clone https://github.com/fonCki/mcp-security-linter.git
cd mcp-security-linter
npm install

See CONTRIBUTING.md for development guidelines.

Usage

CLI

# From the project directory
node src/cli.js                           # Analyze current directory
node src/cli.js src/                      # Analyze specific path
node src/cli.js --format sarif --output results.sarif  # SARIF output
node src/cli.js --config .mcp-lint.json   # Use custom config

Configuration

v1.1.0+ introduces advanced configuration options. See CONFIGURATION.md for the complete guide.

Create .mcp-lint.json (optional):

{
  "command-exec": {
    "enabled": true,
    "severity": "error"
  },
  "token-passthrough": {
    "enabled": true,
    "severity": "warning"
  }
}

Advanced Configuration (v1.1.0+):

  • 📁 Custom file extensions (scan any language)
  • 🧪 Custom test patterns (skip test files)
  • 🚫 Custom exclude patterns (ignore directories)
  • ⚙️ Analyzer-specific overrides

See CONFIGURATION.md for examples and detailed documentation.

Development

# Install dependencies
npm install

# Run tests
npm test

# Run tests with coverage
npm run test:coverage

Team

This project is developed as part of DTU Course 02234 - Research Topics in Cybersecurity.

For detailed team information, contributions, and contact details, see TEAM.md.

Team Members:

  • Melissa Safari (s224818)
  • Zachary Kang (s251598)
  • Alfonso Pedro Ridao (s243942)

License

MIT - See LICENSE file for details