Releases: jiru-labs/mcp-config-audit
Release list
v0.1.0 — first public release
First public release. On PyPI: mcp-config-audit.
pipx install mcp-config-audit
mcp-config-audit scanWhat it does
Reads the MCP config files on your machine — Claude Desktop, Claude Code, Cursor, VS Code, Windsurf — and reports what the configuration itself gives away:
- credentials written into it in plain text (in
args, in a URL, inenv), - servers reached over plain
http://, - launch commands that download and run remote code (
curl … | sh) or resolve an unscoped, unpinned package name anyone could claim, - servers handed a whole filesystem or an unrestricted shell — the blast radius if any of the above is exploited.
Nine rules, each reading the server definition and nothing else.
What it deliberately does not do
It reads the configuration, not the servers. A tool's description — where a tool-poisoning payload actually hides — is served by a running server and is not in the config file, so no rule here reads one. That is a narrower claim than "detects tool poisoning", and it is the true one.
The promises
Local-first. No network call, no process started, no telemetry, no account. Read-only. It never modifies your files. No credential value is ever printed — a finding tells you which argument or variable holds a key, never what the key is. These are enforced by tests, not just documented: the suite fails the build if a socket or a subprocess import ever appears in the package.
For CI
Reports to the terminal, markdown, JSON and SARIF (GitHub code scanning). Exit codes are designed so that a run which could not complete never reads as a clean bill of health: 0/1/2 are verdicts, 3 means the result is unknown, go and look, and 64 is a usage error kept off the verdict codes so a typo can never look like a finding.
Platform support
Tested on Linux and macOS, Python 3.11–3.13, on every commit. Windows is unverified — the paths are implemented, but the tool has never been run there and the suite does not yet pass (#45).