Skip to content
@mcpscanner

MCPScanner

Free security scanner for Model Context Protocol servers. Finds auth bypass, injection attacks, SSRF, hardcoded secrets, and 30+ vulnerabilities — in seconds.
README.md

MCP Scanner

Security scanner for Model Context Protocol servers. Find vulnerabilities before attackers do.

mcpscanner.dev · hello@mcpscanner.dev

MCP servers are becoming the backbone of AI agent architectures — Claude Code, Cursor, Windsurf, and every tool that speaks the Model Context Protocol. Most are deployed with zero security review. MCP Scanner changes that.

One scan. Auth bypasses, injection vulnerabilities, CORS misconfigs, dangerous tool capabilities, transport weaknesses, and more — scored, graded, and actionable.

What we build

  • MCP Scanner CLI — open-source (Apache 2.0) command-line scanner. Single binary, zero dependencies, runs anywhere. Scan HTTP/SSE endpoints or analyze config files (Claude Desktop, Cursor). Outputs text, JSON, or HTML reports with severity scoring.

  • MCP Scanner (hosted) at mcpscanner.dev — the same engine in your browser. Paste a URL, watch a live scan, get a graded report. No account needed.

  • Playground at playground.mcpscanner.dev — a public, intentionally-vulnerable demo MCP server (/error, /success, /random) to point any scanner at. Open source, Apache 2.0.

What it detects

  • Authentication — unauthenticated access, default/weak credentials
  • Transport — missing TLS, CORS wildcard, CORS origin reflection
  • Tool analysis — filesystem/code-exec/database/network tool detection, parameter inspection, input validation gaps, excessive tool exposure
  • Active probing — path traversal, command injection, SQL injection, SSRF, prompt injection reflection
  • Rate limiting — missing request throttling
  • Config analysis — root execution, dangerous packages, unpinned versions, hardcoded secrets, missing auth

Quick start

# Install — macOS / Linux
brew install mcpscanner/tap/mcpscanner          # Homebrew
curl -fsSL https://install.mcpscanner.dev/install.sh | sh   # or one-liner
go install github.com/mcpscanner/cli@latest     # or from source (Go 1.24+)
# Install — Windows
scoop bucket add mcpscanner https://github.com/mcpscanner/scoop-bucket
scoop install mcpscanner
# Scan an HTTP MCP server
mcpscanner scan https://your-mcp-server.com/mcp

# Scan a config file (Claude Desktop / Cursor format)
mcpscanner scan --config ~/.claude/claude_desktop_config.json

# JSON output for CI/CD
mcpscanner scan https://your-mcp-server.com/mcp --format json

# Try it against the public playground
mcpscanner scan https://playground.mcpscanner.dev/error

Security disclosure

Found a vulnerability in MCP Scanner itself? Report to hello@codelake.dev.

Repositories

Repo License Description
cli Apache 2.0 Command-line scanner — the open-source core
playground Apache 2.0 Public, intentionally-vulnerable demo MCP server
scoop-bucket Scoop bucket for the Windows CLI
homebrew-tap Homebrew tap for the macOS/Linux CLI

Contact

MCP Scanner is built by codelake Technologies LLC, an Akyros Labs brand. mcpscanner.dev · hello@mcpscanner.dev

Popular repositories Loading

  1. cli cli Public

    Security scanner for Model Context Protocol (MCP) servers. Finds auth bypasses, injection vulnerabilities, CORS misconfigs, dangerous tool capabilities, and more. Scan HTTP/SSE endpoints or analyze…

    Go

  2. .github .github Public

    Organization profile

  3. homebrew-tap homebrew-tap Public

    Homebrew formula for MCP Scanner CLI

    Ruby

  4. playground playground Public

    Public, intentionally-vulnerable + hardened demo MCP server for testing mcpscanner. /error (Grade F), /success (Grade A), /random.

    TypeScript

  5. scoop-bucket scoop-bucket Public

    Scoop bucket for the MCP Scanner CLI (Windows)

Repositories

Showing 5 of 5 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…