{"id":"sahiloj-mcpscan","name":"MCPScan","homepage":null,"repo_url":"https://github.com/sahiloj/MCPScan","category":"security","subcategories":[],"tags":["mcp","llm-security","security-audit","cli","supply-chain","tool-poisoning","ssrf","rce","credential-leak","static-analysis","sarif","nodejs","typescript"],"what_it_does":"MCPScan (mcpscan) is a CLI tool that discovers and audits Model Context Protocol (MCP) servers/configs and checks for security issues such as tool poisoning, credential leakage, overprivileged capability combinations, missing authentication, session hijacking indicators, SSRF vectors, RCE vectors, and supply-chain/CVE-related risks. It supports scanning stdio MCP servers (spawned via a command), scanning HTTP/SSE MCP endpoints, and optionally probing localhost for exposed HTTP MCP servers; outputs include terminal, JSON, and SARIF.","use_cases":["Pre-deployment security review of MCP servers/tools and agent configurations","CI/CD security scanning with SARIF output","Monitoring for credential leakage or dangerous capability patterns in MCP tool schemas","Assessing network-exposed MCP endpoints (HTTP/SSE) and local exposures","Supply-chain hygiene checks for MCP-related dependencies and version ranges"],"not_for":["Acting as an exploit tool or penetration framework to compromise systems (it is an auditor)","Compliance certifications or legal security attestations","Coverage assurance for all MCP implementations/edge cases not included in its check set","Replacing secure configuration/defense-in-depth for production MCP deployments"],"best_when":"You need an automated, repeatable static/dynamic-ish inspection pass over MCP server configurations and endpoints, especially in CI where you can capture machine-readable findings (JSON/SARIF).","avoid_when":"You cannot run it safely in an environment where it may spawn/inspect local MCP servers or probe network endpoints; or where you need formal verification of vulnerabilities beyond heuristic/static checks.","alternatives":["Open-source MCP security guidelines/checklists (manual review)","Custom scripts using the MCP SDK and your own policy checks","SAST-style tools adapted to MCP schemas/tool metadata","General web security scanners for HTTP/SSE endpoints (not MCP-specific)"],"af_score":48.5,"security_score":30.2,"reliability_score":30.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:36:37.610265+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["TypeScript"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["None specified (CLI tool)"],"oauth":false,"scopes":false,"notes":"Authentication/authorization is not described as a product feature; the tool scans/inspects MCP servers/targets that may be unauthenticated or authenticated depending on the target. The README does not document auth flows, tokens, or required credentials for mcpscan itself."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing model described; appears to be an open-source CLI distributed under MIT."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":48.5,"security_score":30.2,"reliability_score":30.0,"mcp_server_quality":35.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":100.0,"rate_limit_clarity":0.0,"tls_enforcement":20.0,"auth_strength":20.0,"scope_granularity":20.0,"dependency_hygiene":55.0,"secret_handling":45.0,"security_notes":"Security-relevant behavior: it performs auditing that may involve enumerating tool metadata and probing endpoints; it could also detect credential leakage patterns. The README does not document how secrets are handled in logs/reports (e.g., redaction), nor does it describe transport security requirements (TLS enforcement) because targets/URLs are provided by the user. Dependency list is small/typical for a CLI; no CVE status is provided.","uptime_documented":0.0,"version_stability":30.0,"breaking_changes_history":30.0,"error_recovery":60.0,"idempotency_support":"true","idempotency_notes":"Scan/discovery operations are expected to be non-destructive; however, the README does not explicitly state idempotency or side-effect guarantees beyond logging/reporting and connection timeouts.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Relies on local config discovery paths and may scan unintended MCP configs if --all-configs is used broadly","Running with --command spawns a stdio server (potential side effects depend on the spawned command/server)","Network probing (--network) can hit localhost ports and may require safe scanning contexts","Coverage depends on implemented checks and transport parsing (stdio vs HTTP/SSE); unsupported MCP server behaviors may result in incomplete findings"]}}