MCP-Scan: An MCP Security Scanner

MCP-Scan is a security scanning tool designed to go over your installed MCP servers and check them for common security vulnerabilities like prompt injections, tool poisoning and cross-origin escalations.

Quick Start

To run MCP-Scan, use the following command:

uvx mcp-scan@latest

Example Output

Features

• Scanning of Claude, Cursor, Windsurf, and other file-based MCP client configurations
• Scanning for prompt injection attacks in tool descriptions and tool poisoning attacks using Invariant Guardrails
• Detection of cross-origin escalation attacks (tool shadowing)
• Tool Pinning to detect and prevent MCP rug pull attacks, i.e. detects changes to MCP tools via hashing
• Inspecting the tool descriptions of installed tools via uvx mcp-scan@latest inspect

How It Works

MCP-Scan searches through your configuration files to find MCP server configurations. It connects to these servers and retrieves tool descriptions.

It then scans tool descriptions, both with local checks and by invoking Invariant Guardrailing via an API. For this, tool names and descriptions are shared with invariantlabs.ai. By using MCP-Scan, you agree to the invariantlabs.ai terms of use and privacy policy.

Invariant Labs is collecting data for security research purposes (only about tool descriptions and how they change over time, not your user data). Don't use MCP-scan if you don't want to share your tools.

MCP-scan does not store or log any usage data, i.e. the contents and results of your MCP tool calls.

CLI parameters

usage: uvx mcp-scan@latest [--checks-per-server CHECKS_PER_SERVER] [--storage-file STORAGE_FILE] [--base-url BASE_URL] [--server-timeout SERVER_TIMEOUT] [files ...]

[FILE1] [FILE2] [FILE3] ...
    Different file locations to scan. This can include custom file locations as long as they are in an expected format, including Claude, Cursor or VSCode format.

inspect
    Prints the tool descriptions of the installed tools

help
    Prints this help message

options:
  --checks-per-server CHECKS_PER_SERVER
                        Number of checks to perform on each server, values greater than 1 help catch non-deterministic behavior
  --storage-file STORAGE_FILE
                        Path to previous scan results
  --base-url BASE_URL   Base URL for the Invariant API server.
  --server-timeout SERVER_TIMEOUT
                        Number of seconds to wait while trying an MCP server

Contributing

We welcome contributions to MCP-Scan. If you have suggestions, bug reports, or feature requests, please open an issue on our GitHub repository.

Development Setup

To run this package from source, follow these steps:

uv run pip install -e .
uv run -m src.mcp_scan.cli

Including MCP-scan results in your own project / registry

If you want to include MCP-scan results in your own project or registry, please reach out to the team via mcpscan@invariantlabs.ai, and we can help you with that.

Further Reading

• Introducing MCP-Scan
• MCP Security Notification Tool Poisoning Attacks
• WhatsApp MCP Exploited
• MCP Prompt Injection

Changelog

• 0.1.4.0 initial public release
• 0.1.4.1 inspect command, reworked output
• 0.1.4.2 added SSE support
• 0.1.4.3 added VSCode MCP support, better support for non-MacOS, improved error handling, better output formatting
• 0.1.4.4-5 fixes