{"id":"apisec-inc-mcp-audit","name":"mcp-audit","af_score":30.2,"security_score":39.5,"reliability_score":32.5,"what_it_does":"mcp-audit is a Python CLI (and web app) that scans for Model Context Protocol (MCP) configurations across developer tools and GitHub repos, detecting potential exposures such as secrets (API keys/tokens/DB URLs), connected APIs/endpoints, configured AI models, and risk flags (e.g., shell/filesystem access). It can export reports in multiple formats (JSON, SARIF, CycloneDX, etc.) and can be used in CI to fail builds on critical findings.","best_when":"You need org-wide, pre-launch visibility into MCP configuration files (in repos and on developer machines) to identify risky connections/secrets and produce standardized security reports.","avoid_when":"You require runtime guarantees, detection of secrets exclusively present in live process memory/remote secret managers, or you need comprehensive coverage for custom/non-standard config locations without additional setup.","last_evaluated":"2026-03-30T13:42:11.718744+00:00","has_mcp":false,"has_api":false,"auth_methods":[],"has_free_tier":false,"known_gotchas":["The tool focuses on static config files; agents should not assume it will detect secrets that only exist at runtime.","GitHub scanning effectiveness depends on the PAT scope/credentials available to the scan.","Coverage gaps may occur for custom config locations, non-standard MCP config file paths, or configs sourced from secret managers."],"error_quality":0.0}