2 releases

new 0.1.1	Feb 7, 2026
0.1.0	Feb 7, 2026

#2743 in Command line utilities

MIT/Apache

205KB
5K SLoC

mcp-scanner

Security scanner and proxy for MCP (Model Context Protocol) servers.

mcp-scanner discovers, scans, and proxies MCP servers configured across your AI tools (Claude Desktop, Cursor, Windsurf, VS Code, and more), detecting security vulnerabilities like prompt injection in tool descriptions, overly broad permissions, and suspicious changes.

Features

Auto-discovery: Finds MCP servers configured in Claude Desktop, Cursor, Windsurf, Zed, Cline, Continue, VS Code, Roo Code, and Claude Code
Security scanning: Detects prompt injection, permission scope issues, missing auth, tool shadowing, and description drift
STDIO proxy: Intercepts tool calls between clients and servers with rule-based filtering
Web dashboard: htmx-powered UI for viewing scan results and managing proxy rules
Audit logging: SQLite-backed logging of all proxied tool calls

Installation

Homebrew (macOS/Linux)

brew install oabraham1/tap/mcp-scanner

Shell Installer

curl -fsSL https://raw.githubusercontent.com/oabraham1/mcp-scanner/main/install.sh | sh

Download Binary

Download pre-built binaries from GitHub Releases.

Cargo (requires Rust)

cargo install mcp-scanner

Build from Source

git clone https://github.com/oabraham1/mcp-scanner
cd mcp-scanner
cargo build --release

Quick Start

# Scan all discovered MCP servers
mcp-scanner scan

# List discovered servers
mcp-scanner list

# Start the web dashboard
mcp-scanner serve

# Proxy a specific server
mcp-scanner proxy --server "npx -y @modelcontextprotocol/server-filesystem /"

CLI Reference

`mcp-scanner scan`

Scan MCP servers for security vulnerabilities.

mcp-scanner scan                           # Scan all discovered servers
mcp-scanner scan --client claude           # Scan only Claude Desktop servers
mcp-scanner scan --server "npx server.js"  # Scan a specific server command
mcp-scanner scan --config ./mcp.json       # Scan servers from config file
mcp-scanner scan --output json             # Output as JSON
mcp-scanner scan --output sarif            # Output as SARIF (for CI integration)

`mcp-scanner list`

List discovered MCP servers.

mcp-scanner list                    # List all servers
mcp-scanner list --client cursor    # List only Cursor servers

`mcp-scanner serve`

Start the web dashboard and API server.

mcp-scanner serve                   # Start on localhost:9191
mcp-scanner serve --port 8080       # Use custom port
mcp-scanner serve --headless        # Don't open browser

`mcp-scanner proxy`

Proxy an MCP server with filtering and audit logging.

mcp-scanner proxy --server "npx -y @modelcontextprotocol/server-filesystem /"

To use the proxy, update your client config to point to mcp-scanner:

{
  "mcpServers": {
    "filesystem": {
      "command": "mcp-scanner",
      "args": ["proxy", "--server", "npx -y @modelcontextprotocol/server-filesystem /"]
    }
  }
}

`mcp-scanner init`

Create default configuration.

mcp-scanner init           # Create ~/.mcp-scanner/config.toml
mcp-scanner init --force   # Overwrite existing config

`mcp-scanner completions`

Generate shell completions.

mcp-scanner completions --shell bash >> ~/.bashrc
mcp-scanner completions --shell zsh >> ~/.zshrc
mcp-scanner completions --shell fish >> ~/.config/fish/completions/mcp-scanner.fish

Threat Categories

mcp-scanner detects the following security issues:

Description Injection (Critical/High)

Prompt injection patterns in tool descriptions, including:

"Ignore previous instructions" patterns
Hidden Unicode characters
Base64-encoded payloads
System prompt injection attempts

Permission Scope (High/Medium)

Overly broad capabilities:

Arbitrary code execution
Root filesystem access
Unrestricted network access
Database query access

No Auth (Critical for remote, Info for local)

Servers without authentication:

Remote servers without auth tokens (Critical)
Local servers without env-based auth (Info)

Tool Shadowing (High/Medium)

Name conflicts across servers:

Exact name collisions
Similar names (potential typosquatting)

Description Drift (High/Medium)

Changes since last scan:

Modified tool descriptions
Added/removed tools

Configuration

Config file location: ~/.mcp-scanner/config.toml

[scan]
timeout = 30  # seconds per server

[output]
format = "table"  # table, json, sarif

API Endpoints

The web server exposes a JSON API:

GET /api/health - Health check
GET /api/servers - List discovered servers
POST /api/scan - Run a scan
GET /api/audit - List audit log entries
GET /api/rules - List proxy rules
POST /api/rules - Create proxy rule
PUT /api/rules/:id - Update proxy rule
DELETE /api/rules/:id - Delete proxy rule

Data Storage

mcp-scanner stores data in ~/.mcp-scanner/:

mcp-scanner.db - SQLite database (audit logs, scan results, rules)
snapshots/ - Tool description snapshots for drift detection
config.toml - Configuration file

Supported Clients

Client	Config Path
Claude Desktop	`~/Library/Application Support/Claude/claude_desktop_config.json` (macOS)
Cursor	`~/.cursor/mcp.json`
Windsurf	`~/.codeium/windsurf/mcp_config.json`
Zed	`~/.config/zed/settings.json`
Cline	`~/.config/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json`
Continue	`~/.continue/config.json`
VS Code	`.vscode/mcp.json`
Roo Code	`~/.config/Code/User/globalStorage/rooveterinaryinc.roo-cline/settings/mcp_settings.json`
Claude Code	`~/.claude/settings.json` or `.mcp.json`

License

Licensed under either of:

Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Dependencies

~44–63MB
~1M SLoC