Owasp Scan
БесплатноНе проверенPassive security scanner that audits a running MCP server against the OWASP MCP Top 10 and grades it A-F. Read-only static analysis of the advertised tools, pro
Описание
Passive security scanner that audits a running MCP server against the OWASP MCP Top 10 and grades it A-F. Read-only static analysis of the advertised tools, prompts and resources with console/JSON/SARIF output, and it also runs as an MCP server itself.
README
🛡️ mcp-scan
Passive security scanner for Model Context Protocol servers. Point it at any running MCP server; it audits the live server against the OWASP MCP Top 10 and grades it A–F. Read-only, so it is safe to run against production.
npm License: MIT Node CI Tests OWASP MCP Top 10
npx owasp-mcp-scan --stdio "npx -y @modelcontextprotocol/server-filesystem /tmp"

I ran it against the 12 most-installed MCP servers. 9 of them failed. No install, no config, no exploiting anything.
Why
MCP tool descriptions are fed straight into your model's context, and most public servers were never security-reviewed. A bad one can hide instructions in a description, expose a raw-shell tool, or leak a key; and your agent acts on it. Endor Labs found 82% of servers prone to path traversal, 34% to command injection.
mcp-scan is the gut-check before you wire a server in. It's passive: it reads advertised capabilities and analyzes them statically, never invoking tools, so it's safe against production servers.
How it works
- Connects to the server over stdio or Streamable HTTP and enumerates every advertised tool, prompt, and resource.
- Runs 12 static checks across that surface: secrets, injection, SSRF, path traversal, tool poisoning, excessive scope, and more.
toxic-flowreasons across the whole toolset for the lethal trifecta (reads private data + ingests untrusted content + can exfiltrate), the shape single-tool scanners miss.- Scores 0-100 and grades A-F (any critical forces F). Emits console, JSON, or SARIF.
It never calls a tool, never fuzzes, and never sends an exploit. The worst it does is read what the server already tells everyone.
Real findings on real servers
12 popular npm servers, actual output (snapshot 2026-07-11, full benchmark):
| Server | Tools | Grade | 🔴 | 🟠 | 🟡 | Notable |
|---|---|---|---|---|---|---|
firecrawl-mcp |
26 | F | 2 | 11 | 1 | lethal trifecta (MCP10) + code exec (MCP05) |
@modelcontextprotocol/server-filesystem |
14 | F | 0 | 1 | 11 | unconstrained path params (MCP01) |
@modelcontextprotocol/server-puppeteer |
7 | F | 1 | 2 | 0 | script param executes JS (MCP05) |
tavily-mcp |
5 | F | 0 | 3 | 1 | untrusted-input + exfiltration (MCP10) |
@modelcontextprotocol/server-memory |
9 | F | 0 | 3 | 0 | delete_* tools, no confirmation (MCP02) |
@modelcontextprotocol/server-github |
26 | D | 0 | 0 | 2 | state-changing tools (MCP02) |
@modelcontextprotocol/server-slack |
8 | C | 0 | 1 | 0 | reads + posts = data + exfil (MCP10) |
@modelcontextprotocol/server-everything |
13 | A | 0 | 0 | 0 | clean ✓ |
@kazuph/mcp-fetch |
1 | A | 0 | 0 | 0 | clean ✓ |
9 of 12 flagged, 3 clean, every row audited finding-by-finding, false positives stripped rather than padded. Reproduce any row yourself:
npx owasp-mcp-scan --stdio "npx -y firecrawl-mcp" # F: lethal trifecta + code exec
npx owasp-mcp-scan --stdio "npx -y @modelcontextprotocol/server-everything" # A: clean
Use it
CLI
npx owasp-mcp-scan --stdio "<command>" # local stdio server
npx owasp-mcp-scan --url https://host/mcp --header "Authorization: Bearer $TOKEN"
npx owasp-mcp-scan --config ~/.cursor/mcp.json --format sarif --output mcp.sarif
As an MCP server, let your agent scan servers on demand ("scan this MCP server before I add it"). Add to any client; this mcpServers shape works in Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, and Gemini CLI:
{ "mcpServers": { "mcp-scan": { "command": "npx", "args": ["-y", "owasp-mcp-scan", "--serve"] } } }
OpenAI Codex (~/.codex/config.toml):
[mcp_servers.mcp-scan]
command = "npx"
args = ["-y", "owasp-mcp-scan", "--serve"]
Exposes two tools: scan_mcp_server (audit a stdio/HTTP target) and list_checks.
Claude Code plugin
/plugin marketplace add CodingSelim/mcp-scan
/plugin install mcp-scan@mcp-scan
Also on the official MCP registry as io.github.CodingSelim/mcp-scan. Publishing steps: PUBLISHING.md.
What it checks
Full OWASP MCP Top 10 (2025) coverage, 12 checks:
| Check | OWASP | Catches |
|---|---|---|
secret-exposure |
MCP01 | AWS / OpenAI / Anthropic / GitHub / GitLab / Stripe / SendGrid / npm / HF / DB URIs / JWT / private keys in advertised text |
transport |
MCP01 | Plaintext http:// to a non-loopback host |
path-traversal |
MCP01 | file:///{path} templates and unconstrained path params |
excessive-scope |
MCP02 | Destructive tools (delete, drop, transfer) with no confirmation |
tool-poisoning |
MCP03 | Instruction overrides, hidden exfiltration directives, zero-width / Unicode-tag smuggling |
tool-shadowing |
MCP03 / MCP09 | Duplicate tool-name collisions and "call me first" precedence injection |
supply-chain |
MCP04 / MCP09 | Unpinned/placeholder versions and homoglyph server names |
command-injection |
MCP05 | Unconstrained command / shell / code params, raw SQL, advertised execution |
ssrf |
MCP05 | Arbitrary url / host params with no allowlist |
tool-poisoning (dynamic) |
MCP06 | Injection in resource contents and server instructions |
authn |
MCP07 | HTTP servers that complete an unauthenticated handshake |
telemetry |
MCP08 | High-impact tools with no audit trail (advisory, unscored) |
toxic-flow |
MCP10 | Lethal trifecta: one server that reads private data, ingests untrusted content, and can exfiltrate |
toxic-flow is the standout, it reasons across the whole toolset, catching the GitHub-MCP / email-agent injection shape that per-tool checks miss.
Output & CI
console (default) · json · sarif (GitHub Code Scanning). Exit code is non-zero at/above --fail-on (default high), so it gates CI:
- run: npx owasp-mcp-scan --url ${{ secrets.MCP_URL }} --format sarif --output mcp.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: mcp.sarif }
Limitations (read these)
- Static analysis can't see runtime sandboxing, a server that safely confines paths still flags them. Verify against actual enforcement.
- Auth and transport checks apply to HTTP targets only.
- Heuristics favor recall, so triage findings in context. When a rule is tightened to kill a false positive, a test pins the intended behavior.
- Scanning a stdio target spawns that command, so run it only on servers you trust.
Develop
npm install && npm run build && npm test # 48 tests, incl. live end-to-end fixture scans
Checks are pure and isolated (src/checks/), reusing detectors in src/detectors/. See CONTRIBUTING.md.
References
OWASP MCP Top 10 · MCP Security Cheat Sheet · Vulnerable MCP Project · MCPTox
MIT © CodingSelim
Установка Owasp Scan
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/CodingSelim/mcp-scanFAQ
Owasp Scan MCP бесплатный?
Да, Owasp Scan MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Owasp Scan?
Нет, Owasp Scan работает без API-ключей и переменных окружения.
Owasp Scan — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Owasp Scan в Claude Desktop, Claude Code или Cursor?
Открой Owasp Scan на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Owasp Scan with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
