Skip to content

Releases: jiru-labs/mcp-config-audit

v0.1.0 — first public release

Choose a tag to compare

@nyakojiru nyakojiru released this 11 Jul 22:47
3ff9f2f

First public release. On PyPI: mcp-config-audit.

pipx install mcp-config-audit
mcp-config-audit scan

What it does

Reads the MCP config files on your machine — Claude Desktop, Claude Code, Cursor, VS Code, Windsurf — and reports what the configuration itself gives away:

  • credentials written into it in plain text (in args, in a URL, in env),
  • servers reached over plain http://,
  • launch commands that download and run remote code (curl … | sh) or resolve an unscoped, unpinned package name anyone could claim,
  • servers handed a whole filesystem or an unrestricted shell — the blast radius if any of the above is exploited.

Nine rules, each reading the server definition and nothing else.

What it deliberately does not do

It reads the configuration, not the servers. A tool's description — where a tool-poisoning payload actually hides — is served by a running server and is not in the config file, so no rule here reads one. That is a narrower claim than "detects tool poisoning", and it is the true one.

The promises

Local-first. No network call, no process started, no telemetry, no account. Read-only. It never modifies your files. No credential value is ever printed — a finding tells you which argument or variable holds a key, never what the key is. These are enforced by tests, not just documented: the suite fails the build if a socket or a subprocess import ever appears in the package.

For CI

Reports to the terminal, markdown, JSON and SARIF (GitHub code scanning). Exit codes are designed so that a run which could not complete never reads as a clean bill of health: 0/1/2 are verdicts, 3 means the result is unknown, go and look, and 64 is a usage error kept off the verdict codes so a typo can never look like a finding.

Platform support

Tested on Linux and macOS, Python 3.11–3.13, on every commit. Windows is unverified — the paths are implemented, but the tool has never been run there and the suite does not yet pass (#45).