rodolfboctor

rodolfboctor / mcp-scan

Public

Security scanner for MCP server configurations. Detects secrets, CVEs, permission issues, and exfiltration vectors across 10 AI tool clients.

www.npmjs.compackagemcp-scan ai-security ai-tools claude cli cursor
12
0
100% credibility
Found Mar 25, 2026 at 12 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
TypeScript
AI Summary

mcp-scan automatically examines configurations of AI development tools to detect security risks such as exposed secrets, malicious packages, and excessive permissions.

How It Works

1
🛡️ Discover mcp-scan

You learn about a friendly security helper that checks your AI coding buddies for hidden dangers.

2
🔍 Start your first check

You simply tell it to look over your AI tool setups, and it finds them all on its own.

3
⚠️ See the risks clearly

It highlights any worries like secret passwords out in the open or too much access in easy-to-read alerts.

4
🛠️ Fix problems safely

You let it guide you to clean up issues automatically, approving each change along the way.

5
📊 Share your safety report

Create pretty summaries or send updates to your team so everyone stays protected.

AI tools secured

Your coding helpers now run safely without surprises, and you can check anytime for peace of mind.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 12 to 12 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is mcp-scan?

mcp-scan is a TypeScript CLI security scanner that audits MCP server configs in AI tools like Claude Desktop, Cursor, VS Code, and GitHub Copilot. It auto-detects files across macOS, Linux, and Windows, flagging secrets, CVEs via OSV.dev, overbroad permissions, prompt injections, and exfiltration risks in 13 specialized checks. Run `npx mcp-scan` to get instant color-coded reports on what your AI agents can access.

Why is it gaining traction?

Unlike generic secret scanners, it targets MCP configs specifically, supporting SARIF output for GitHub security scanning and direct upload to repo security tabs via GitHub Actions. Features like `--fix` for auto-remediating secrets, watch mode, and SBOM generation make it a practical mcp scan tool for CI pipelines and security github projects. The free security scanner github integration hooks devs needing quick audits without setup.

Who should use this?

AI devs configuring Cursor or Continue.dev servers, security engineers enforcing github security policy in teams using Claude Code or Zed, and SREs scanning VS Code extensions like Cline before production. Ideal for security github actions in repos with mcp scan ai dependencies or security github copilot workflows.

Verdict

Grab it for MCP-specific github security advisories if you're in the AI tooling space—solid docs and GitHub Action make it production-ready despite 12 stars and 1.0% credibility score. Early maturity means watch for updates, but it fills a real gap in mcp scanners today.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.