Free MCP Server Security Scanner

• 3,100+ MCP servers scanned to date
• 148 security checks per scan
• 5/day free scans for every user
• <60s average scan time

How It Works

1. Paste a GitHub URL — Enter a public GitHub repository URL containing your MCP server code.
2. Automated security audit — The scanner runs 148 checks across credential exposure, data exfiltration, prompt injection, SSRF, privilege escalation, and supply chain integrity.
3. Get your Security Score — Receive a composite score (0-100) with severity ratings, detailed findings, and prioritized remediation guidance.

What We Scan

• MCP Tool Definitions — Detect credential theft patterns and data exfiltration vectors in tool definitions.
• Server Entry Points — Analyze server.ts/js and index.ts/js for unsafe patterns and reverse shell attempts.
• Credential Exposure — Detect leaked API keys, secrets, tokens in MCP server configs and environment files.
• Prompt Injection — Identify system prompt manipulation and instruction override vulnerabilities.
• SSRF Vulnerabilities — Detect server-side request forgery risks in tool endpoints and fetch patterns.
• Supply Chain Integrity — Verify dependency safety, known CVEs, and package manifest integrity.

Supported MCP Server Formats

• TypeScript/JavaScript — server.ts, server.js, index.ts, index.js entry points
• Python — Python MCP server implementations
• mcp.json — MCP manifest files with tool definitions
• package.json — Dependency analysis and supply chain verification

Frequently Asked Questions

What does the free MCP Server Security Scanner check?

The scanner checks for credential exposure, data exfiltration vectors, prompt injection vulnerabilities, unsafe tool definitions, SSRF risks, privilege escalation, and supply chain integrity — aligned with the OWASP MCP Top 10.

How many MCP server scans can I run for free?

5 free scans per day for every registered user. No credit card required. Full audit pipeline with detailed findings and remediation guidance.

How is this different from the AI Skills Scanner?

Both use the same security engine. The MCP Scanner targets MCP server repositories (mcp.json, server entry points, tool definitions). The AI Skills Scanner targets SKILL.md and broader AI agent skills.

Is my MCP server code safe during the scan?

Yes. All scans run in isolated containers with no data persistence. Scan traffic is encrypted end-to-end.

What types of MCP servers can I scan?

Any public MCP server on GitHub. Supports TypeScript, JavaScript, and Python implementations.