mcp-scan: Security scanner for MCP server configurations
mcp-scan is a security scanner for MCP (Model Context Protocol) server configurations. MCP servers used with Claude Desktop run with full access to your filesystem and network, making security configuration important.
What mcp-scan checks
The tool scans your MCP configurations for several security issues:
- Secrets and API keys accidentally left in config files
- Known vulnerabilities in MCP packages
- Suspicious permission patterns
- Exfiltration vectors
- Tool poisoning attacks
Supported clients and usage
mcp-scan auto-detects configurations for multiple AI clients including:
- Claude Desktop
- Cursor
- VS Code
- Windsurf
- 6 other AI clients (specific names not provided in source)
The tool is run with a single command:
npx mcp-scanThis type of security scanning is particularly relevant for MCP servers since they often have broad system access when integrated with AI coding assistants. The tool appears to focus on configuration-level security issues rather than runtime vulnerabilities.
📖 Read the full source: r/ClaudeAI
👀 See Also
AI Agents Enable Solo Hackers to Breach Governments and Ransomware Campaigns
A solo operator using Claude Code and ChatGPT exfiltrated 150 GB from Mexican government agencies, including 195 million taxpayer records. Another attacker used Claude Code to run an end-to-end extortion campaign against 17 healthcare and emergency services organizations.
Secure Administrator Approval Flow for Group-Chat Assistants Against Prompt Injection
A practical approach to secure LLM assistants in shared group chats: pausing VM, OAuth, and code execution tools until admin approves via a timed link.
Claude Code Continues Logging Sessions After Revoke, User Reports 2-Week Support Silence
A Claude Code user reports that session logs continued appearing after revoking access, with Anthropic support unresponsive for two weeks. Logs included scopes like user:file_upload, user:ccr_inference, and user:sessions:claude_code.
Claude's Security Review Command Has Limitations for Production Systems
A developer found Claude's security review command helpful for basic validation like MIME types and file size limits, but insufficient for production hardening against sophisticated threats. The solution required a two-week architectural overhaul separating file processing into a restricted worker with limited permissions.