MCP-Scan is a security scanning tool designed to go over your installed MCP servers and check them for common security vulnerabilities like prompt injections, tool poisoning and cross-origin escalations.
To run MCP-Scan, use the following command:
uvx mcp-scan@latest
- Scanning of Claude, Cursor, Windsurf, and other file-based MCP client configurations
- Scanning for prompt injection attacks in tool descriptions and tool poisoning attacks using Invariant Guardrails
- Detection of cross-origin escalation attacks (tool shadowing)
- Tool Pinning to detect and prevent MCP rug pull attacks, i.e. detects changes to MCP tools via hashing
- Inspecting the tool descriptions of installed tools via
uvx mcp-scan@latest inspect
MCP-Scan searches through your configuration files to find MCP server configurations. It connects to these servers and retrieves tool descriptions.
It then scans tool descriptions, both with local checks and by invoking Invariant Guardrailing via an API. For this, tool names and descriptions are shared with invariantlabs.ai. By using MCP-Scan, you agree to the invariantlabs.ai terms of use and privacy policy.
Invariant Labs is collecting data for security research purposes (only about tool descriptions and how they change over time, not your user data). Don't use MCP-scan if you don't want to share your tools.
MCP-scan does not store or log any usage data, i.e. the contents and results of your MCP tool calls.
usage: uvx mcp-scan@latest [--storage-file STORAGE_FILE] [--base-url BASE_URL]
help
Prints this help message
whitelist
Whitelists a tool
Prints the current whitelist when no arguments are provided
[--file FILE]
MCP config file location.
[--server SERVER]
Server name.
[--tool TOOL]
Tool name.
[--local-only]
Do not contribute to the global whitelist.
Defaults to False
scan
Scan MCP servers
Default command, when no arguments are provided
[FILE1] [FILE2] [FILE3] ...
Different file locations to scan. This can include custom file locations as long as they are in an expected format, including Claude, Cursor or VSCode format.
Defaults to well known locations, depending on your OS
[--checks-per-server CHECKS_PER_SERVER]
Number of checks to perform on each server, values greater than 1 help catch non-deterministic behavior
Defaults to 1
[--server-timeout SERVER_TIMEOUT]
Number of seconds to wait while trying a mcp server
Defaults to 10
[--suppress-mcpserver-io]
Suppress the output of the mcp server
Defaults to True
inspect
Prints the tool descriptions of the installed tools
[FILE1] [FILE2] [FILE3] ...
Different file locations to scan. This can include custom file locations as long as they are in an expected format, including Claude, Cursor or VSCode format.
Defaults to well known locations, depending on your OS
[--server-timeout SERVER_TIMEOUT]
Number of seconds to wait while trying a mcp server
Defaults to 10
[--suppress-mcpserver-io]
Suppress the output of the mcp server
Defaults to True
We welcome contributions to MCP-Scan. If you have suggestions, bug reports, or feature requests, please open an issue on our GitHub repository.
To run this package from source, follow these steps:
uv run pip install -e .
uv run -m src.mcp_scan.cli
If you want to include MCP-scan results in your own project or registry, please reach out to the team via mcpscan@invariantlabs.ai, and we can help you with that.
- Introducing MCP-Scan
- MCP Security Notification Tool Poisoning Attacks
- WhatsApp MCP Exploited
- MCP Prompt Injection
0.1.4.0initial public release0.1.4.1inspectcommand, reworked output0.1.4.2added SSE support0.1.4.3added VSCode MCP support, better support for non-MacOS, improved error handling, better output formatting0.1.4.4-5fixes*whitelisting of files