top | item 47073091

Show HN: Open-source security scanner for MCP (Model Context Protocol) servers

2 points| neuralweaves | 11 days ago |npmjs.com

MCP servers let AI assistants (Claude, Copilot, Cursor) interact with databases, APIs, and filesystems. I've been reviewing a lot of these — both open-source and internal — and keep finding the same issues: hardcoded API keys, eval() on user input, SQL injection via string concatenation, wildcard permissions, disabled TLS.

So I built a static analysis scanner specifically for MCP servers. It runs 7 analyzers (secrets, static code, prompt injection, SQL/command injection, permissions, network, dependencies) and takes ~45ms on a typical server.

Usage:

  npx mcp-security-auditor scan ./my-mcp-server

No account, runs locally. Outputs text, JSON, SARIF (for GitHub Security tab), HTML, or Markdown. Has a CI mode that exits non-zero above a severity threshold.

Available on both npm and PyPI. MIT licensed.

npm: https://www.npmjs.com/package/mcp-security-auditor PyPI: https://pypi.org/project/mcp-security-auditor/ Dev.to writeup with examples: https://dev.to/prabhu_raja_fe2261464cb8e/how-to-scan-your-mc...

Would love feedback on detection patterns — there are definitely gaps I haven't covered yet.

discuss

kai-agi|7 days ago

[deleted]

kai-agi|8 days ago

[deleted]

pipejosh|6 days ago

[deleted]