A comprehensive security scanner for Model Context Protocol (MCP) servers that detects vulnerabilities and security issues in your MCP implementations.
- π Credential Detection - Finds hardcoded API keys, tokens, and insecure credential storage
- π§ͺ Tool Poisoning - Detects hidden malicious instructions in tool descriptions
- π― Parameter Injection - Identifies magic parameters that extract sensitive AI context
- π Prompt Injection - Scans for prompt manipulation and injection attacks
- π Tool Mutation - Detects dynamic tool changes and rug-pull risks
- π¬ Conversation Exfiltration - Finds triggers that steal conversation history
- π¨ ANSI Injection - Detects steganographic attacks using escape sequences
- π Protocol Violations - Identifies MCP protocol security violations
- π‘οΈ Input Validation - Finds command injection, SSRF, and path traversal issues
- π Server Spoofing - Detects servers impersonating popular services
- π Toxic Flows - Identifies dangerous data flow patterns
- π Permission Issues - Finds excessive permissions and access control problems
npm install -g mcp-watchnpm install mcp-watchgit clone https://github.com/yourusername/mcp-watch.git
cd mcp-watch
npm install
npm run build# Scan a GitHub repository
mcp-watch scan https://github.com/user/mcp-server
# Scan with JSON output
mcp-watch scan https://github.com/user/mcp-server --format json
# Filter by severity
mcp-watch scan https://github.com/user/mcp-server --severity high
# Filter by category
mcp-watch scan https://github.com/user/mcp-server --category credential-leakNote: If you don't want to download npm then just substitute mcp-watch with node dist/main.js.
Example: node dist/main.js scan https://github.com/user/repo
--format <type>- Output format:console(default) orjson--severity <level>- Minimum severity:low,medium,high,critical--category <cat>- Filter by vulnerability category
credential-leak- Hardcoded credentials and insecure storagetool-poisoning- Malicious tool descriptionsdata-exfiltration- Data theft and parameter injectionprompt-injection- Prompt manipulation attackstool-mutation- Dynamic tool changessteganographic-attack- Hidden content in escape sequencesprotocol-violation- MCP protocol security issuesinput-validation- Command injection, SSRF, path traversalserver-spoofing- Server impersonationtoxic-flow- Dangerous data flowsaccess-control- Permission and access issues
π Scanning repository: https://github.com/user/mcp-server
π Based on vulnerablemcp.info, HiddenLayer, Invariant Labs, and Trail of Bits research
π Scanning for credential vulnerabilities...
π§ͺ Scanning for tool poisoning vulnerabilities...
π― Scanning for parameter injection vulnerabilities...
π Scanning for prompt injection vulnerabilities...
π MCP SECURITY SCAN RESULTS
===============================
π Summary by Severity:
π¨ CRITICAL: 2
β οΈ HIGH: 1
β‘ MEDIUM: 3
π Detailed Results:
--------------------
1. π¨ Hardcoded credentials detected
π ID: HARDCODED_CREDENTIALS
π― Severity: CRITICAL
π Category: credential-leak
π Location: src/config.ts:15
π Evidence: const apiKey = "sk-***REDACTED***"
mcp-watch/
βββ main.ts # CLI entry point
βββ types/
β βββ Vulnerability.ts # Type definitions
βββ scanner/
β βββ MCPScanner.ts # Main scanner orchestrator
β βββ BaseScanner.ts # Base scanner utilities
β βββ scanners/ # Individual vulnerability scanners
β βββ CredentialScanner.ts
β βββ ParameterInjectionScanner.ts
β βββ ...
βββ utils/
βββ reportFormatter.ts # Report formatting
# Build the project
npm run build
# Run in development mode
npm run dev scan https://github.com/user/repo
# Quick scan during development
npm run scan https://github.com/user/repo
# Clean build artifacts
npm run clean- Create a new scanner in
scanner/scanners/ - Extend
AbstractScanner - Implement the
scan()method - Add to
MCPScanner.ts
Example:
import { AbstractScanner } from "../BaseScanner";
import { Vulnerability } from "../../types/Vulnerability";
export class MyScanner extends AbstractScanner {
async scan(projectPath: string): Promise<Vulnerability[]> {
console.log("π Scanning for my vulnerability type...");
const vulnerabilities: Vulnerability[] = [];
// Your scanning logic here
return vulnerabilities;
}
}This tool is based on security research from leading organizations in AI and cybersecurity, identifying novel attack vectors specific to MCP environments including:
- Parameter injection attacks that extract sensitive AI context
- Tool poisoning with hidden malicious instructions
- Conversation exfiltration using trigger phrases
- Steganographic attacks via ANSI escape sequences
- Toxic agent flows across repository boundaries
-
VulnerableMCP Database (vulnerablemcp.info)
- Comprehensive database of MCP vulnerabilities
- Real-world attack patterns and examples
- Regular updates on new attack vectors
-
HiddenLayer Research (Exploiting MCP Tool Parameters)
- Parameter injection attacks that extract sensitive data
- Tool call history and conversation exfiltration
- System prompt extraction vulnerabilities
- Chain of thought manipulation
- Model name disclosure risks
-
Invariant Labs Research (GitHub MCP Vulnerability)
- Tool poisoning detection
- Toxic agent flows
- Cross-repository security issues
- Rug-pull updates in tool functionality
- Server spoofing prevention
-
Trail of Bits Research (MCP Security Research)
- Conversation exfiltration methods
- ANSI injection attacks
- Protocol-level vulnerabilities
- Insecure credential storage patterns
- Cross-server shadowing attacks
-
PromptHub Analysis (5 MCP Security Vulnerabilities)
- Command injection patterns (43% of public MCP servers affected)
- SSRF vulnerability statistics (30% allow arbitrary URL fetching)
- Path traversal attack vectors (22% leak files outside intended directories)
- Retrieval-Agent Deception (RADE) attacks
- Tool poisoning prevention strategies
0- No critical or high severity vulnerabilities found1- Critical or high severity vulnerabilities detected1- Scan error occurred
- Fork the repository
- Create a feature branch
- Run type checking with
npm run type-check - Test your changes manually
- Submit a pull request
MIT License - see LICENSE file for details.
- Create an issue for bug reports or feature requests
- Check existing issues before creating new ones
- Include scan output and repository details when reporting issues