{"id":"rodolfboctor-mcp-scan","name":"mcp-scan","af_score":54.5,"security_score":75.5,"reliability_score":27.5,"what_it_does":"mcp-scan is a locally-run CLI security scanner for Model Context Protocol (MCP) server configurations. It auto-detects configurations for multiple AI tool clients and performs checks such as secret exposure, prompt injection risk, supply-chain/package risk, data exfiltration indicators, and permission/transport issues. It can output JSON and integrate with GitHub Actions via SARIF.","best_when":"When you need offline, local static/config security scanning of MCP server setups for multiple developer tools, and want CI integration for ongoing governance.","avoid_when":"Avoid using it as your only control for environments requiring strong guarantees against active exfiltration; use additional sandboxing/egress controls and runtime monitoring.","last_evaluated":"2026-03-30T15:33:03.269878+00:00","has_mcp":false,"has_api":false,"auth_methods":["None (local CLI)"],"has_free_tier":false,"known_gotchas":["As a local CLI, it may rely on local filesystem/config paths and tool-specific locations; agents may need to run in the correct environment/working directory.","Static detection may produce false positives/negatives; policy thresholds should be tuned.","GitHub Action integration may depend on repository workflow permissions to upload SARIF."],"error_quality":0.0}