MCP-Scanner

A Python command-line security research tool that uses the Shodan API to discover potentially exposed Model Context Protocol (MCP) servers, probes them over HTTP and Server-Sent Events (SSE), verifies MCP protocol compliance, enumerates available tools/capabilities, and writes JSON/CSV/log outputs.

Evaluated Mar 30, 2026 (21d ago)

Repo ↗ Security ai-security mcp shodan security-scanning enumeration http sse devtools

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

The tool uses Shodan API key authentication (simple), but there is no documented authentication for the probed MCP endpoints. The README provides an ethical/disclaimer section and notes to respect API rate limits, but it does not document operational safety controls, payload minimization, or detailed error-handling behavior. Dependency hygiene and secret handling practices are not evidenced by the provided content.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You have explicit authorization to test endpoints and you need automated discovery + basic protocol/tool enumeration over HTTP/SSE with Shodan-based targeting.

Avoid When

You need a formal, stable API/SDK interface for embedding into other systems, or you need strong operational safety guarantees (the repo content does not document safety limits beyond basic concurrency/rate-limit guidance).

Use Cases

• Discovering publicly exposed MCP servers for security assessment
• Verifying whether discovered endpoints properly implement MCP
• Enumerating advertised MCP tools/capabilities for attack surface mapping
• Generating reports (JSON/CSV/summary/logs) for governance and risk assessment

Not For

• Unauthorized scanning of systems you do not own or have permission to test
• Production/continuous monitoring without clear controls (it is presented as a research scanner)
• Use as a general-purpose MCP client SDK or high-level integration library

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Webhooks

Authentication

Methods: Shodan API key via --api-key

OAuth: No Scopes: No

Authentication is only for Shodan API access; there is no documented auth mechanism for the probed MCP endpoints.

Pricing

Free tier: No

Requires CC: No

No pricing beyond reliance on Shodan API.

Agent Metadata

Pagination

none

Idempotent

False

Retry Guidance

Not documented

Known Gotchas

⚠ This is a CLI scanning tool, not a stable machine-to-machine API—agents must run subprocesses and parse output files.
⚠ Shodan rate limits/quotas may apply; README urges respecting rate limits but does not provide detailed retry/backoff behavior.
⚠ Target enumeration uses many Shodan filters; agents may unintentionally generate large scanning workloads if not constrained.

Alternatives

Manual MCP endpoint validation using an MCP client and protocol spec Custom Shodan-driven discovery scripts tailored to your environment Vendor/internal vulnerability scanning workflows that include MCP-specific checks

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for MCP-Scanner.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.