mcp-scan: Security scanner for MCP server configurations

mcp-scan is a security scanner for MCP (Model Context Protocol) server configurations. MCP servers used with Claude Desktop run with full access to your filesystem and network, making security configuration important.

What mcp-scan checks

The tool scans your MCP configurations for several security issues:

• Secrets and API keys accidentally left in config files
• Known vulnerabilities in MCP packages
• Suspicious permission patterns
• Exfiltration vectors
• Tool poisoning attacks

Supported clients and usage

mcp-scan auto-detects configurations for multiple AI clients including:

• Claude Desktop
• Cursor
• VS Code
• Windsurf
• 6 other AI clients (specific names not provided in source)

The tool is run with a single command:

npx mcp-scan

This type of security scanning is particularly relevant for MCP servers since they often have broad system access when integrated with AI coding assistants. The tool appears to focus on configuration-level security issues rather than runtime vulnerabilities.