MCP-Scan: A security scanner for MCP

Use MCP-scan to safeguard your MCP integrations.

MCP-scan is a security scanning tool that uses Invariant's security stack to ensure the MCP integrations you are using in MCP clients, such as Cursor, Claude, and Windsurf are safe.

MCP-Scan Features

• Scanning of Claude, Cursor, Windsurf, and other file-based MCP client configurations
• Scanning for prompt injection attacks in tool descriptions and tool poisoning attacks using Guardrails
• Live runtime monitoring of MCP traffic using mcp-scan proxy
• MCP guardrailing of tool calls and responses, including PII detection, secrets detection, tool restrictions, and custom guardrailing policies
• Detection of cross-origin escalation attacks (tool shadowing)
• Tool Pinning to detect and prevent MCP rug pull attacks, i.e. detects changes to MCP tools via hashing

Quick Start

To run a simple system-level scan with MCP-Scan, use the following command:

uvx mcp-scan@latest

or

npx mcp-scan@latest

To learn more about the scan, see the chapter on scanning.

Why MCP-Scan?

As Invariant's security research on MCP uncovered (Tool Poisoning Attacks, WhatsApp MCP Exploits), MCP implementations across various platforms—such as Cursor, Claude Desktop, Zapier, and others—are susceptible to dangerous attacks. These vulnerabilities include prompt injections, hidden malicious tool instructions (tool poisoning), and cross-origin escalations through tool shadowing.

Recognizing these serious security threats, we developed MCP-Scan to help users quickly identify vulnerabilities within their MCP installations, ensuring safer and more secure agent interactions.

Using MCP-Scan

MCP-scan offers two primary modes of operations, allowing you to identify security vulnerabilities in your MCP integrations and continuously monitor your MCP traffic.

Passive Scanning with mcp-scan scan

Using mcp-scan scan, you can scan your configured MCP servers for malicious tool descriptions and behavior, in order to prevent attacks from untrusted MCP servers. mcp-scan scan is a static check that only runs when you invoke it, and does not run in the background.

Learn more about the scanning mode in the MCP Server Scanning chapter.

Active Proxying with mcp-scan proxy

Using mcp-scan proxy, you can monitor, log, and safeguard all MCP traffic on your machine. This allows you to inspect the runtime behavior of agents and tools, and prevent attacks from e.g., untrusted sources (like websites or emails) that may try to exploit your agents. mcp-scan proxy is a dynamic security layer that runs in the background, and continuously monitors your MCP traffic.

Learn more about the proxying mode in the MCP Proxying with mcp-scan chapter.

Including MCP-scan results in your own project / registry

If you want to include MCP-scan results in your own project or registry, please reach out to the team via mcpscan@invariantlabs.ai, and we can help you with that. For automated scanning, we recommend using the --json flag and parsing the output.

Further Reading

• Introducing MCP-Scan
• MCP Security Notification Tool Poisoning Attacks
• WhatsApp MCP Exploited
• MCP Prompt Injection

Next Steps

If you are interested in learning more about securing MCP and agents more generally, consider reading one of the following chapters next.

MCP Server Scanning → Scans your configured MCP servers for malicious tool descriptions and behavior. MCP Proxying with mcp-scan Monitors, logs, and safeguards all MCP traffic on your machine. Guardrails → Learn the fundamentals about guardrailing with Invariant. Explorer → Configure your guardrailing rules in Explorer, and visualize agent behavior.