Security scanner for Model Context Protocol (MCP) servers
Project description
mcp-audit
Security scanner for Model Context Protocol (MCP) servers.
Renamed from
mcp-scan→mcp-auditin April 2026 to avoid collision with Snyk's Agent Scan (formerly Invariant Labs' mcp-scan). The old PyPI packagevelox-mcp-scanis deprecated; installvelox-mcp-auditinstead.
mcp-audit is an open-source CLI that inspects MCP servers for known security issues. It connects to a server via stdio, fetches its tool/resource/prompt manifest, and runs a battery of checks against the metadata.
Early alpha. Currently ships 6 checks: 2 protocol-level (prompt injection markers, ANSI/control character smuggling) and 4 source-code AST checks (path traversal, shell injection, SSRF sinks, hardcoded secrets). 19 more are planned — see
docs/checks.mdfor the full roadmap. Only stdio transport is implemented; HTTP/SSE is planned.
Built by Velox Labs — an AI security and platform engineering studio.
What it catches today
Protocol-level checks (run against any MCP server, no source access needed):
| Check | Severity | What it detects |
|---|---|---|
| MCPA-001 | Critical | Prompt-injection markers in tool descriptions (imperative verbs, <system> tags, exfiltration phrases) |
| MCPA-002 | High | ANSI escape sequences, C0 control chars, and zero-width characters hiding payloads in tool descriptions |
Source-code AST checks (require --source <path> pointing at the server's Python source):
| Check | Severity | What it detects |
|---|---|---|
| MCPA-010 | Critical | Path traversal in file handlers — open()/read_text() without is_relative_to() containment (resolve() alone is not sufficient) |
| MCPA-012 | Critical | Shell injection — subprocess with shell=True, especially with f-string/format commands |
| MCPA-060 | High | SSRF sinks — HTTP client calls (httpx, requests, urllib) with variable URLs and no host validation guard |
| MCPA-070 | High | Hardcoded secrets — API keys (sk-, ghp_, AKIA, xoxb-, etc.) and high-entropy strings in secret-named variables |
These catch the tool poisoning attacks published by Trail of Bits and Invariant Labs (2025), the EscapeRoute filesystem sandbox bypass (CVE-2025-53109/53110), and the Anthropic Git MCP argument injection (CVE-2025-68144).
See docs/checks.md for the 19 additional checks planned for v0.1 (dependency CVEs, OAuth conformance, SSRF, exfiltration channels, and more).
Install
pip install velox-mcp-audit
Requires Python 3.10+.
Quick start
# Scan a local stdio MCP server
mcp-audit scan --stdio "python3 -m my_mcp_server"
# Output JSON report
mcp-audit scan --stdio "python3 -m my_mcp_server" --format json --output report.json
# Only run critical-severity checks
mcp-audit scan --stdio "python3 -m my_mcp_server" --severity critical
# List registered checks
mcp-audit list-checks
Try it on the vulnerable reference server
This repo ships with vulnerable-mcp — a deliberately broken MCP server with 5 planted vulnerabilities. The scanner catches all 5 (7 findings total).
# Protocol-level checks only (catches vuln #1)
mcp-audit scan --stdio "python3 -m vulnerable_mcp.server"
# Protocol + source-code checks (catches all 5 vulns)
mcp-audit scan --stdio "python3 -m vulnerable_mcp.server" --source ./vulnerable_mcp
Fail-closed design
A security scanner that silently passes when something goes wrong is worse than no scanner. mcp-audit follows fail-closed principles:
- Introspection failures are surfaced as critical findings, not swallowed. If the server can't respond to
tools/list, you see aCRITICALfinding, not an empty clean report. - Check execution errors cause non-zero exit, even if no findings were produced. In CI, a broken scan is a failed scan.
- All MCP RPC calls have timeouts (default 30s, configurable via
--timeout). A hanging server can't hang the scanner.
Roadmap
- Current — 6 checks (MCPA-001, MCPA-002, MCPA-010, MCPA-012, MCPA-060, MCPA-070), stdio transport, source-code AST scanning (
--source), terminal/JSON/markdown reports, fail-closed error handling, capability-aware introspection. - v0.1 — 25 checks across tool-schema, resource-access, supply-chain, transport, OAuth, SSRF, exfiltration, and configuration categories. See
docs/checks.md. - v0.3 — OAuth 2.1 DCR flow auditing, multi-server config analysis, fuzz mode.
License
MIT. See LICENSE.
Security
Found a security issue in mcp-audit itself? Email security@veloxlabs.dev — please do not file a public issue.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file velox_mcp_audit-0.2.0.tar.gz.
File metadata
- Download URL: velox_mcp_audit-0.2.0.tar.gz
- Upload date:
- Size: 48.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c1c3bda9a9d3918d3082c8227c69bb25d666af92135d4755cf3d3d3811fbe6e1
|
|
| MD5 |
99b470825f23342c6c26627df06b865d
|
|
| BLAKE2b-256 |
ff7872b83d9d2285af0f2d433fdd780ad533464227ae094ca55bced7dc507933
|
File details
Details for the file velox_mcp_audit-0.2.0-py3-none-any.whl.
File metadata
- Download URL: velox_mcp_audit-0.2.0-py3-none-any.whl
- Upload date:
- Size: 33.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
817e56eaba96570b042190b9cd49936b62da87ba979c7313030d33bc0c1a19ad
|
|
| MD5 |
9fc5a226fd2abfbae506f2c6ab6f65e4
|
|
| BLAKE2b-256 |
3948ff9a4343c9f5d81dd92db65822d2fd6a9049ba41e08ce299b4407fd3fd52
|
