mcp-scan is a vital MCP security scanner, acting as an essential Tool within the MCP ecosystem to safeguard your AI interactions. It proactively scans configured MCP Servers by examining Client configurations (like Claude, Cursor, VSCode) to identify and report common vulnerabilities such as prompt injection, tool poisoning (using Invariant Guardrails), and cross-origin escalation. mcp-scan uniquely features tool pinning, verifying tool integrity via hashing to prevent malicious modifications or "rug pull" attacks. It integrates easily into developer workflows via a simple CLI command, connecting to servers to retrieve and analyze tool descriptions. By providing early detection of security risks, mcp-scan empowers developers to build more secure and trustworthy AI applications using the MCP framework. Note: Scanning shares tool metadata with invariantlabs.ai for enhanced analysis.

Automated Security Vulnerability Scanning

MCP-Scan serves as a crucial security layer by automatically detecting common vulnerabilities within MCP Tools connected to configured servers. Upon execution, it first identifies MCP server configurations by scanning known locations for clients like Claude, Cursor, and VSCode, or by analyzing user-specified files. It then connects to these servers, retrieves the descriptions of the installed Tools, and subjects them to rigorous analysis. This analysis includes local checks for patterns associated with prompt injection attacks, where malicious instructions hidden in tool descriptions could manipulate the AI's behavior. Furthermore, it leverages the external Invariant Guardrails API (requiring sharing of tool names/descriptions) to identify sophisticated tool poisoning attacks, where a tool's functionality might be subtly altered for harmful purposes. It also detects cross-origin escalation vulnerabilities, sometimes known as tool shadowing or masking, preventing scenarios where one tool might improperly invoke or interfere with another. This comprehensive scanning process provides developers and users with actionable insights into the security posture of their AI's external interactions. For instance, running mcp-scan scan might reveal that a newly added weather tool description contains suspicious prompts attempting to instruct the AI to disregard previous safety instructions.

Tool Integrity Verification (Pinning)

A significant threat in dynamic ecosystems like MCP is the "rug pull" attack, where a previously trusted Tool is maliciously modified by its provider after installation. MCP-Scan directly addresses this risk through its Tool Pinning feature. This mechanism works by calculating a unique cryptographic hash based on the definition or description of each installed MCP Tool. During subsequent scans, MCP-Scan recalculates these hashes and compares them against previously recorded values or a user-managed whitelist. If a mismatch is detected, it indicates that the Tool's definition has changed since it was last verified or added to the whitelist, potentially signaling tampering or an unauthorized update. This alerts the user to investigate the change before the AI interacts with the potentially compromised Tool. Users can manage known-good tools using the mcp-scan whitelist [NAME HASH] command, explicitly trusting specific versions. For example, if a financial analysis tool's hash changes unexpectedly, MCP-Scan flags it, prompting the user to verify if the update is legitimate or if the tool has been compromised to exfiltrate data.

Multi-Client Configuration Discovery

MCP-Scan significantly simplifies the security auditing process by automatically discovering MCP server configurations across various installed clients. Instead of requiring users to manually locate and specify each configuration file, the tool intelligently searches standard installation directories and known configuration file locations associated with popular MCP clients, including Claude, Cursor, and the VSCode MCP extension. By default, running the mcp-scan scan or mcp-scan inspect command initiates this discovery process, identifying relevant server connection details. This ensures broad coverage with minimal user effort, making regular security checks more feasible. While automatic discovery covers common setups, users retain the flexibility to point MCP-Scan directly to specific configuration files or directories by providing them as arguments (e.g., mcp-scan scan ./my-custom-config.mcp). This feature streamlines the user experience, allowing developers to quickly assess the security of tools used across different AI interaction environments without needing intimate knowledge of each client's configuration storage specifics.