Security scanner and protocol fuzzer for MCP (Model Context Protocol) servers. Found and reported vulnerabilities in official Anthropic and GitHub MCP implementations.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mr_paradox from gravatar.com mr_paradox

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Manthan
  • Tags ai , mcp , model-context-protocol , pentesting , scanner , security
  • Requires: Python >=3.11
  • Provides-Extra: ai , all , dev , rogue
Classifiers
Report project as malware

Project description

mcpsec

License: MIT Python 3.11+ PyPI Bugs Found Fuzz Cases Semgrep Rules

Security scanner and protocol fuzzer for MCP servers.

Most MCP security tools do static analysis. mcpsec connects to live servers and proves exploitation.

InstallationUsageScannersFuzzing

Why mcpsec?

MCP is the protocol connecting AI agents (Claude, Cursor, VS Code) to external tools. Every major AI company uses it. Its security is often overlooked.

  • 82% of MCP implementations have path traversal vulnerabilities
  • 67% are vulnerable to code injection
  • ~2,000 internet-exposed MCP servers found with zero authentication
  • Anthropic's own Git MCP server had 3 critical RCE vulnerabilities

mcpsec has been used to discover and report 12+ vulnerabilities across Anthropic and GitHub MCP implementations, affecting Python, TypeScript, and Go SDK ecosystems.

Installation

pip install mcpsec

For AI-powered features:

pip install mcpsec[ai]

Usage

Runtime Scanning

# Scan via stdio
mcpsec scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"

# Scan via HTTP with auth
mcpsec scan --http http://localhost:8080/mcp -H "Authorization: Bearer TOKEN"

# Enumerate attack surface
mcpsec info --stdio "python my_server.py"

# Advanced SQL Injection Discovery
mcpsec sql --stdio "npx @benborla29/mcp-server-mysql" --fingerprint

# Attack Chain Analysis (Priority 0)
mcpsec chains --stdio "npx @example/complex-server"

Protocol Fuzzing

# Standard fuzzing (150+ cases)
mcpsec fuzz --stdio "python my_server.py"

# High intensity (500+ cases)
mcpsec fuzz --stdio "python my_server.py" --intensity high

# Target specific attack class
mcpsec fuzz --stdio "python my_server.py" -g protocol_state_machine
mcpsec fuzz --stdio "python my_server.py" -g id_confusion

# AI-powered payload generation
mcpsec fuzz --stdio "python my_server.py" --ai

Static Analysis

# Local source
mcpsec audit --path ./my-mcp-server

# GitHub repository
mcpsec audit --github https://github.com/user/mcp-server

# With AI validation
mcpsec audit --github https://github.com/user/mcp-server --ai

Rogue Server (Client Testing)

# Test MCP clients for vulnerabilities
mcpsec rogue-server --port 9999 --attack all

Scanners

Scanner Description
prompt-injection Hidden instructions in tool descriptions
command-injection OS command injection with proof of exploitation
path-traversal File traversal with proof of exploitation
ssrf Server-Side Request Forgery to internal services
auth-audit Missing auth, dangerous tool combinations
description-prompt-injection LLM manipulation via descriptions
resource-ssrf SSRF via MCP resource URIs
capability-escalation Undeclared capability abuse
sql Modular SQL Injection (Error, Time, Boolean, Stacked)
chains Tool Chain Analysis (Dangerous combinations detection)
sql-rce SQL Injection to RCE/File access (Legacy)

Fuzz Generators

Generator Description
malformed_json Invalid JSON structures
protocol_violation JSON-RPC spec violations
type_confusion Type mismatch attacks
unicode_attacks Encoding edge cases
injection_payloads SQLi, XSS, command injection
protocol_state_machine MCP state violations
id_confusion JSON-RPC ID edge cases

Semgrep Rules

49 MCP-specific rules:

  • Command injection (exec, spawn, child_process)
  • SQL injection (raw queries, ORM bypass)
  • Path traversal (path.join with unsanitized input)
  • Description injection (dynamic tool descriptions)
  • Resource URI issues (SSRF vectors)
  • Protocol handler vulnerabilities

Configuration

AI Provider Setup

mcpsec setup

Supports: OpenAI, Anthropic, Google, Groq, DeepSeek, Ollama

Output Formats

# JSON
mcpsec scan --stdio "server" --output results.json

# SARIF (CI/CD)
mcpsec fuzz --stdio "server" --output results.sarif

How It Works

┌─────────┐     MCP Protocol      ┌────────────┐
│ mcpsec  │ ◄──── JSON-RPC ────►  │   Target   │
│         │    (stdio / HTTP)     │   Server   │
└────┬────┘                       └────────────┘
     │
     ├── Connect & enumerate attack surface
     ├── Run static scanners
     ├── Generate dynamic payloads  
     ├── Execute fuzzing campaigns
     └── Report findings with evidence

Disclaimer

For authorized security testing only. Only scan servers you own or have permission to test.

Changelog

v2.0.2 (2026-02-26)

  • Tool Chain Analysis: Detect dangerous tool combinations (read+exec, sql+exfil).
  • Cross-Platform Priority: Robust Windows support for npx, modern path resolution.
  • Improved UI: Refined terminal output and error reporting.

v2.0.1 (2026-02-25)

  • Advanced SQL Scanner: Modular architecture with error/time/boolean detection.
  • DB Fingerprinting: Automated identification of MySQL, Postgres, MSSQL, and SQLite.
  • Enhanced Heuristics: Better tool and parameter surface discovery.

v2.0.0 (2026-02-24)

  • Fuzzing Engine v2: Chained fuzzer for deep state-machine exploration.
  • AI-Powered Validation: LLM verification of potential security findings.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mr_paradox from gravatar.com mr_paradox

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Manthan
  • Tags ai , mcp , model-context-protocol , pentesting , scanner , security
  • Requires: Python >=3.11
  • Provides-Extra: ai , all , dev , rogue
Classifiers

Release history Release notifications | RSS feed

2.7.1

2.7.0

2.6.1

2.6.0

2.5.0

2.4.1

2.4.0

2.3.0

2.0.3

This version

2.0.2

2.0.1

2.0.0

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

0.4.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcpsec-2.0.2.tar.gz (146.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcpsec-2.0.2-py3-none-any.whl (182.9 kB view details)

Uploaded Python 3

File details

Details for the file mcpsec-2.0.2.tar.gz.

File metadata

  • Download URL: mcpsec-2.0.2.tar.gz
  • Upload date:
  • Size: 146.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.2

File hashes

Hashes for mcpsec-2.0.2.tar.gz
Algorithm Hash digest
SHA256 f2408a9e4fab928deb2a725f3fdd47d23c4928fef4544d474b716ab2445f307d
MD5 0adf3930270cb90cf2858904600c71a8
BLAKE2b-256 86251e210b0e49540dde7725c70c034777ac852544b5c3349edc2e111a62ff11

See more details on using hashes here.

File details

Details for the file mcpsec-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: mcpsec-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 182.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.2

File hashes

Hashes for mcpsec-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 bb26ad7169cd48d884ef7debaed0aaddbe155d58faff5c7cddf9884ef1e4abe3
MD5 8e5dd7441e4c09bac9881f7d30f086f8
BLAKE2b-256 0314269d8c230c899d19c3131b4c45fb1c60c2b5f4811b1bab067441d6962cda

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page