Find the security holes in your MCP and local-agent setup — before someone else does. Local-first, offline by default, one command.
Four dimensions, graded A–F per server and overall.
Flags MCP servers bound to 0.0.0.0 or a routable address instead of 127.0.0.1.
Detects API keys and high-entropy secrets in configs and .env files, plus world-readable or git-tracked secret files.
Catches auto-approved shell/exec tools and wildcard allow-lists that hand agents an RCE primitive.
Surfaces floating npx/uvx packages that fetch new, unreviewed code on every run.
A real scan of a misconfigured project — secrets, an exposed socket, an unpinned package, a blanket Bash(*) grant.
$ mcpscan scan AI Agentic MCPscan — overall posture: F dimensions: credential=F, exposure=F, pinning=B, tool_scope=B findings: 3 critical, 2 high, 1 medium ▶ ~/project/.mcp.json#leaky-db [grade F] [CRITICAL] Plaintext high-entropy secret in config secret: [redacted len=28 sha256:961290af] fix: Move it to a secret manager or runtime env var, and rotate it. [MEDIUM ] Server 'leaky-db' runs an unpinned package via npx fix: Pin to an exact version, e.g. npx some-pkg@1.2.3. ▶ ~/project/.env [grade F] [CRITICAL] Plaintext OpenAI API key in config (.env:1) fix: Remove the literal value; rotate the exposed key. [HIGH ] Secret file is group/world-readable fix: chmod 600 the file. ▶ socket://0.0.0.0:8000 [grade D] [CRITICAL] MCP server reachable beyond loopback (0.0.0.0:8000) fix: Bind to 127.0.0.1 instead of 0.0.0.0.
A security tool shouldn't widen your attack surface. This one is built not to.
--online.127.0.0.1; refuses non-loopback targets.chmod 600).Install once, then scan. Grades and exit codes drop straight into CI.
# install pipx install ai-agentic-mcpscan # scan the current project + any running MCP servers mcpscan scan # machine-readable and shareable reports mcpscan scan --json report.json mcpscan scan --html report.html # fail CI on High-or-worse findings mcpscan scan --fail-on high