Skip to main content

The security linter for MCP โ€” scan any server for compliance with the MCP spec, OWASP MCP Top 10, and FastMCP baseline

Project description

๐Ÿ›ก๏ธ MCPSec

The security linter for MCP

Python 3.12+ License MCP Shark

An MCP server that audits other MCP servers for compliance with the official MCP specification, OWASP MCP Top 10, OWASP Agentic AI Top 10, and the FastMCP security baseline. Scan any server. Get a compliance report. Fix issues.

Part of the MCP Shark project family โ€” forensic analysis, security scanning, and developer tooling for the Model Context Protocol.

MCP Shark Product Purpose
Smart Scan AI-powered security analysis & risk assessment
Inspector Real-time MCP traffic monitoring & debugging
MCPSec Deep compliance scanning against MCP spec & OWASP standards

Why MCPSec

The Model Context Protocol is rapidly becoming the universal standard for connecting AI agents to tools โ€” adopted by Claude, ChatGPT, VS Code, Gemini, and Cursor. But MCP security is an afterthought:

  • 88% of MCP servers require credentials, but 53% rely on insecure static secrets
  • Only 8.5% implement modern OAuth authentication
  • 30 CVEs documented in 6 weeks, with 43% being exec/shell injection
  • The first full RCE against an MCP client (CVE-2025-6514) scored CVSS 9.6
  • No existing tool systematically validates compliance against the official MCP spec

MCPSec fills this gap.


Key Features

  • 34 security findings across 6 auditors (auth, transport, authorization, tools, config, supply chain)
  • 4 detection modes โ€” endpoint probing, MCP introspection, active token testing, static analysis
  • LLM hybrid classifier โ€” rule-based first pass + LLM semantic analysis (BYOK via LiteLLM)
  • Compliance scorecard โ€” MCP Spec, OWASP MCP Top 10, FastMCP baseline scores with Aโ€“F grading
  • Dual interface โ€” runs as an MCP server (for Claude Desktop, Cursor, VS Code) or standalone CLI
  • 4 report formats โ€” Markdown, JSON, SARIF (GitHub Code Scanning), interactive HTML dashboard
  • CI/CD gating โ€” mcpsec ci returns exit codes based on CVSS thresholds
  • Scan history โ€” SQLite storage with scan comparison and trend tracking
  • Passthrough LLM โ€” in MCP server mode, uses the client's own LLM for classification
  • Privacy-first โ€” fully local, no data leaves your machine

Quick Start

Install

pip install git+https://github.com/mcp-shark/mcpsec.git

First Scan

mcpsec scan https://your-mcp-server.com

With LLM Classification

export ANTHROPIC_API_KEY=sk-...   # or OPENAI_API_KEY, GEMINI_API_KEY
mcpsec scan https://your-mcp-server.com --llm

Generate Reports

mcpsec report <scan_id> --format html      # Interactive dashboard
mcpsec report <scan_id> --format markdown   # Terminal / GitHub PR
mcpsec report <scan_id> --format sarif      # GitHub Code Scanning

MCP Server Mode

MCPSec is itself an MCP server โ€” any MCP client can invoke its scanning tools directly.

Start the Server

mcpsec serve                              # stdio (Claude Desktop, Cursor)
mcpsec serve --transport http --port 8000  # Streamable HTTP

Claude Desktop / Claude Code, VS Code, Cursor Dev Test Set-up

All three clients have the same config format distinction โ€” installed vs source. Here's each:

Claude Desktop / Claude Code

Add to claude_desktop_config.json:

Installed (pip install -e .):

{
  "mcpServers": {
    "mcpsec": {
      "command": "mcpsec",
      "args": ["serve"]
    }
  }
}

From source:

{
  "mcpServers": {
    "mcpsec": {
      "command": "/path/to/mcpsec/.venv/bin/python",
      "args": ["-m", "mcpsec.cli", "serve"],
      "cwd": "/path/to/mcpsec"
    }
  }
}

Cursor

Add to .cursor/mcp.json โ€” same format as Claude Desktop for both installed and source options.

VS Code

Add to .vscode/settings.json:

Installed:

{
  "mcp": {
    "servers": {
      "mcpsec": {
        "command": "mcpsec",
        "args": ["serve"]
      }
    }
  }
}

From source:

{
  "mcp": {
    "servers": {
      "mcpsec": {
        "command": "/path/to/mcpsec/.venv/bin/python",
        "args": ["-m", "mcpsec.cli", "serve"],
        "cwd": "/path/to/mcpsec"
      }
    }
  }
}

Summary: Claude Desktop, Claude Code, and Cursor all use mcpServers key. VS Code uses mcp.servers. The installed vs source distinction is the same across all three.

Passthrough LLM Flow

In MCP server mode, MCPSec doesn't need its own LLM API key. Instead:

  1. Client calls scan_tools(url) โ†’ gets rule-based findings
  2. Client calls get_unclassified_tools(url) โ†’ gets pre-built classification prompts
  3. The client's own LLM reasons over the prompts
  4. Client calls classify_tools(scan_id, classifications) โ†’ merged into findings

This means Claude Desktop uses Claude, Cursor uses its configured model, etc. โ€” automatically.


CLI Reference

Command Description
mcpsec scan <url> Full security scan (all auditors)
mcpsec auth <url> OAuth 2.1 compliance audit
mcpsec transport <url> Transport & session security
mcpsec authorization <url> Scope & permission model audit
mcpsec tools <url> Tool metadata & poisoning analysis
mcpsec config [path] Local config file audit
mcpsec dependencies <path> Dependency vulnerability check
mcpsec ci <url> --fail-on 7.0 CI/CD mode (exit code on CVSS threshold)
mcpsec serve Run as MCP server
mcpsec report <scan_id> Generate compliance report
mcpsec list List previous scans
mcpsec compare <id_a> <id_b> Compare two scans
mcpsec scan_local Enumerate & audit local MCP servers (stub)

Common Flags

--access remote|authenticated|local    # Scanner access level
--depth quick|standard|thorough        # Scan thoroughness
--test-token <token>                   # Bearer token for active checks
--llm                                  # Enable LLM classification (BYOK)
--model <name>                         # Override LLM model
--json                                 # Output as JSON

Scan โ†’ Recommend โ†’ Fix

MCPSec follows a three-tier architecture:

Tier 1: Scan โœ…

Non-destructive probing, configuration analysis, tool metadata inspection, pattern matching against the FastMCP auth baseline.

Tier 2: Recommend โœ…

For each finding: explains the risk, maps to specific spec sections + OWASP IDs, provides step-by-step remediation with FastMCP code examples.

Tier 3: Fix (Roadmap)

Auto-generate structured fix descriptors consumable by coding agents (Claude Code, Cursor, Copilot). MCPSec outputs fixes โ€” the developer's coding agent applies them.


Findings Catalog

MCPSec detects 34 security findings across 6 auditors:

Authentication (AUTH-001 to AUTH-013)

ID Title Severity Detection
AUTH-001 Protected Resource Metadata Missing Critical Endpoint
AUTH-002 Token Passthrough Detected Critical Static
AUTH-003 Token Audience Binding Not Enforced Critical Active
AUTH-004 Remote Server Over HTTP (No TLS) Critical Endpoint
AUTH-005 PKCE Not Supported Critical Endpoint
AUTH-006 Authorization Server Metadata Missing High Endpoint
AUTH-007 Resource Indicator Not Enforced High Active
AUTH-008 Bearer Token in URI Query String High Endpoint
AUTH-009 401 Missing WWW-Authenticate Header High Endpoint
AUTH-010 Insufficient Scope Error Handling Medium Active
AUTH-011 No Scope in WWW-Authenticate Challenge Medium Endpoint
AUTH-012 No Registration Mechanism Medium Endpoint
AUTH-013 STDIO Server with HTTP Auth Low Endpoint

Transport (TRANS-001 to TRANS-004)

ID Title Severity Detection
TRANS-001 Deprecated SSE Transport High Endpoint
TRANS-002 SSRF-Vulnerable Metadata URL Critical Endpoint
TRANS-003 Session ID Low Entropy High Active
TRANS-004 Session Binding Not Enforced High Active

Authorization (AUTHZ-001 to AUTHZ-004)

ID Title Severity Detection
AUTHZ-001 Admin Tool Without Authorization Critical Active
AUTHZ-002 No Per-Tool Scope Requirements High Introspection
AUTHZ-003 Wildcard/Broad Scope Definitions High Introspection
AUTHZ-004 Privilege Escalation via Scope Critical Active

Tools (TOOL-001 to TOOL-005)

ID Title Severity Detection
TOOL-001 Tool Description Poisoning Critical Introspection + LLM
TOOL-002 Command Injection Pattern Critical Static
TOOL-003 Path Traversal Vulnerability High Static
TOOL-004 Input Schema Missing Constraints High Introspection
TOOL-005 Dangerous Tool Name High Introspection + LLM

Configuration (CONFIG-001 to CONFIG-004)

ID Title Severity Detection
CONFIG-001 Hardcoded Credentials in Config Critical Static
CONFIG-002 Shell Injection in Startup Args Critical Static
CONFIG-003 Symlink Attack on Server Path High Static
CONFIG-004 Shadow MCP Server Detected High Static

Supply Chain (SC-001 to SC-004)

ID Title Severity Detection
SC-001 Known CVE in Dependency Critical Static
SC-002 Typosquat Package Detected Critical Static
SC-003 Unpinned Dependency Version Medium Static
SC-004 Unverified Package Publisher Medium Static

Compliance Scorecard

Every scan produces a compliance scorecard:

  • Overall Score (0โ€“100) with letter grade Aโ€“F
  • MCP Spec Compliance โ€” scored against official MCP authorization spec
  • OWASP MCP Top 10 Coverage โ€” 0โ€“10 risk categories clear
  • FastMCP Baseline โ€” alignment with FastMCP's auth implementation patterns

With --llm enabled, the scorecard includes an AI-generated risk narrative explaining finding interactions and prioritized remediation reasoning.


LLM Hybrid Classification

MCPSec uses a two-pass detection pipeline:

  1. Rule-based (fast, free, deterministic) โ€” regex patterns for poisoning, dangerous names, schema issues
  2. LLM semantic analysis (opt-in) โ€” catches subtle manipulation that rules miss

Supported Providers (BYOK)

Provider Env Variable Default Model
Anthropic ANTHROPIC_API_KEY claude-sonnet-4-20250514
OpenAI OPENAI_API_KEY gpt-4o
Google GEMINI_API_KEY gemini-2.0-flash
Mistral MISTRAL_API_KEY mistral-large-latest
Groq GROQ_API_KEY llama-3.3-70b

Auto-detected from environment variables. Override with --model or MCPSEC_LLM_MODEL.


Reports

Markdown

Terminal-friendly, ideal for GitHub PR comments.

JSON

Machine-readable, for integration with other tools.

SARIF

Standard format for GitHub Code Scanning, Azure DevOps, VS Code SARIF Viewer.

HTML Dashboard

Interactive cybersecurity-themed dashboard with:

  • Severity donut chart
  • OWASP MCP Top 10 radar chart
  • Framework compliance bar chart
  • Sortable/filterable findings with expandable details
  • Remediation priorities table
mcpsec scan https://mcp-server.com
mcpsec report <scan_id> --format html
# Opens mcpsec_report_<scan_id>.html

CI/CD Integration

GitHub Actions

name: MCP Security Scan
on: [push, pull_request]

jobs:
  mcpsec:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - run: pip install mcpsec
      - run: mcpsec ci ${{ vars.MCP_SERVER_URL }} --fail-on 7.0 --json

The mcpsec ci command exits with code 1 if any finding meets or exceeds the CVSS threshold.


Standards & Compliance Framework

MCPSec validates against:

Standard Coverage
MCP Specification (draft-2025-11-25) OAuth 2.1, transport, session, input validation
FastMCP Auth Baseline TokenVerifier, OAuthProvider, require_scopes(), restrict_tag()
OWASP MCP Top 10 (v0.1, 2025) All 10 risk categories
OWASP Agentic AI Top 10 (2026) ASI01โ€“ASI10 cross-referenced
OWASP LLM Top 10 (2025) MCP-specific variants
RFCs 6749, 6750, 7591, 7636, 8414, 8707, 9728
NIST AI RMF Risk management cross-references
MITRE ATLAS Adversarial ML technique mapping

Architecture

graph TB
    subgraph Target["Target MCP Server"]
        T[MCP Server being scanned]
    end

    subgraph Engine["Scanner Engine"]
        A1[Auth Auditor<br/>AUTH-001 to 013]
        A2[Transport Auditor<br/>TRANS-001 to 004]
        A3[Authorization Auditor<br/>AUTHZ-001 to 004]
        A4[Tools Auditor<br/>TOOL-001 to 005]
        A5[Config Auditor<br/>CONFIG-001 to 004]
        A6[Supply Chain Auditor<br/>SC-001 to 004]
        LLM[LLM Hybrid Classifier<br/>Rule-based + Semantic]
    end

    subgraph Reports["Results & Reports"]
        SC[Compliance Scorecard]
        MD[Markdown]
        HTML[HTML Dashboard]
        SARIF[SARIF]
        JSON[JSON]
        DB[(SQLite History)]
    end

    subgraph Server["MCPSec Server - FastMCP"]
        MCP[14 MCP Tools<br/>Streamable HTTP / stdio]
        CLI[CLI + CI/CD]
    end

    subgraph Clients["MCP Clients"]
        CD[Claude Desktop]
        CC[Claude Code]
        VS[VS Code]
        CU[Cursor]
        CI[CI/CD Pipelines]
    end

    T --> Engine
    A4 --> LLM
    Engine --> Reports
    Reports --> Server
    Server --> Clients

    style Target fill:#1a1a2e,stroke:#ff1744,color:#fff
    style Engine fill:#0f1729,stroke:#448aff,color:#fff
    style Reports fill:#0f1729,stroke:#69f0ae,color:#fff
    style Server fill:#0f1729,stroke:#ffd600,color:#fff
    style Clients fill:#111827,stroke:#c0c8d8,color:#fff

Development

Setup

git clone https://github.com/mcp-shark/mcpsec.git
cd mcpsec
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

Run Tests

pytest -m "not llm and not exa" -v     # Core tests (no API keys needed)
pytest -v                               # Full suite (needs ANTHROPIC_API_KEY)
pytest -m exa -v                        # Real-world Exa MCP server tests

Test Coverage

  • 444 tests covering all 6 auditors, LLM classifier, scorecard, reports
  • Compliant + non-compliant test servers for active check validation
  • MockProvider for deterministic LLM testing
  • Live LLM tests with real Anthropic classification

Competitive Comparison

Capability Snyk MintMCP MCPScan.ai MCPShield AgentAudit MCPSec
MCP Spec compliance audit โŒ โŒ โŒ โŒ โŒ โœ…
FastMCP auth baseline โŒ โŒ โŒ โŒ โŒ โœ…
OAuth 2.1 verification โŒ โŒ Partial โŒ โŒ โœ…
OWASP MCP Top 10 full coverage Partial Partial Partial Partial Partial โœ…
Tool poisoning (LLM) โœ… โœ… โœ… โŒ โœ… โœ…
Supply chain scanning โŒ โŒ โŒ โœ… โœ… โœ…
SSRF endpoint scanning โŒ โŒ โŒ โŒ โŒ โœ…
Remediation + code examples โŒ โŒ โŒ โŒ โŒ โœ…
Compliance scorecard โŒ โŒ โŒ โŒ โŒ โœ…
Scan comparison / trending โŒ โŒ โŒ โŒ โŒ โœ…
Interactive HTML dashboard โŒ โŒ โŒ โŒ โŒ โœ…
CI/CD integration โœ… โŒ โŒ โœ… โŒ โœ…
MCP server mode โŒ โŒ โŒ โŒ โŒ โœ…
Privacy (fully local) โŒ โŒ โŒ โœ… โŒ โœ…

Roadmap

Milestone Scope Status
M1 Core scanner, 16 findings, CLI, reports โœ… Complete
M2 All 34 findings, LLM classifier, test servers, scorecard, HTML reports โœ… Complete
M3 Public release, PyPI package, 5+ client testing, documentation ๐Ÿ”„ In Progress
M4 Auto-fix generation (Tier 3), structured fix descriptors, npm wrapper, GitHub Action Planned
M5 Agent Scanner (separate MCP server, OWASP Agentic AI Top 10) Planned
M6 Enterprise (remote deployment, team dashboards, policy engine) Planned

Distribution

Channel Milestone Status
PyPI โ€” pip install mcpsec M3 ๐Ÿ”„ In Progress
npm โ€” npm install mcpsec M4 Planned
GitHub Action โ€” mcp-shark/mcpsec-action@v1 M4 Planned

License

MIT โ€” see LICENSE.


Part of the MCP Shark project family
Forensic analysis, security scanning, and developer tooling for the Model Context Protocol

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcpsharksec-0.1.0.tar.gz (125.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcpsharksec-0.1.0-py3-none-any.whl (103.2 kB view details)

Uploaded Python 3

File details

Details for the file mcpsharksec-0.1.0.tar.gz.

File metadata

  • Download URL: mcpsharksec-0.1.0.tar.gz
  • Upload date:
  • Size: 125.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for mcpsharksec-0.1.0.tar.gz
Algorithm Hash digest
SHA256 4e79f00848c89825ab754d3869a3979c1dccbfff70d5763c41bdbd3ee76d854d
MD5 77822c59e24bfbeea23becc2165bc9ee
BLAKE2b-256 91a95c6fe099236c6c9d040b373a6ec46f60e0f820158582e53568f305f4b316

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcpsharksec-0.1.0.tar.gz:

Publisher: publish.yml on mcp-shark/MCPSec

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mcpsharksec-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: mcpsharksec-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 103.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for mcpsharksec-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8a794cac694562e31ab36550e6c316d5839f7fe89869d37c18f7678516067e6b
MD5 05883cb31e951866ca615552288f2dfa
BLAKE2b-256 372c9e6c27fdd4f22c0cd4b1e55674770cfadfebc25a09ddcddee0a03b92b00b

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcpsharksec-0.1.0-py3-none-any.whl:

Publisher: publish.yml on mcp-shark/MCPSec

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page