MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

M
Mcpaudit
by @volodymyrshk
GitHub Repo(1 stars)

An open-source security tool for discovering and auditing Model Context Protocol (MCP) servers in AI workflows

Created 3/10/2026
Updated about 8 hours ago
README
View Source
Repository documentation and setup instructions

vs-mcpaudit

Node - Mcpaudit by volodymyrshk Bun-1 - Mcpaudit by volodymyrshk License

vs-mcpaudit is a specialized security scanner for Model Context Protocol (MCP) servers. It helps developers and security teams identify vulnerabilities, schema weaknesses, and data exfiltration paths in MCP servers before they are exposed to AI agents.

Learn more in the official documentation.

Get started

vs-mcpaudit is distributed as a standalone CLI tool. You can run it directly via npx or install it globally.

  1. Run with npx (Recommended):

    npx vs-mcpaudit scan -s "npx -y @modelcontextprotocol/server-filesystem /tmp"

  2. Install globally:

    # Via NPM
npm install -g vs-mcpaudit

# Via Bun
bun install -g vs-mcpaudit

  3. From source:

    git clone https://github.com/volodymyrshk/mcpaudit.git
cd mcpaudit
bun install
bun run build
./packages/cli/dist/index.js --help

Core Modules

vs-mcpaudit features five specialized audit modules designed to uncover common MCP security pitfalls:

Tool Permissions (tool-permissions)

Analyzes tool schemas for over-permissioning, dangerous naming patterns, and annotation trust issues.

  • Detections: Missing descriptions, unconstrained parameters, contradictory annotations, and risky tool names (command exec, destructive ops).

SSRF Detection (ssrf-detection)

Active Scanning Module. Probes tools with URL parameters using controlled SSRF payloads.

  • Detections: Successful loopback access, cloud metadata endpoint exposure (AWS/GCP/Azure), and protocol smuggling.

Transport Security (transport-security)

Evaluates server capability declarations and transport-layer configurations.

  • Detections: Sampling/Roots capability abuse, dynamic tool registration poisoning, and sensitive resource exposure.

Schema Manipulation (schema-manipulation)

Detects structural weaknesses in tool schemas that could enable injection or validation bypass.

Context Extraction (context-extraction)

Identifies tools and resources that could leak sensitive environment context or be used for stealthy data exfiltration.

CI/CD Integration

vs-mcpaudit is designed to run in automated pipelines. Use the --ci flag for non-interactive output and machine-readable results.

GitHub Actions Example

- name: MCP Security Scan
  run: npx vs-mcpaudit scan -s "your-mcp-server" --ci -o results.sarif

- name: Upload Results
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Output Formats

| Format | Description | Use Case | |---|---|---| | terminal | Rich, color-coded interactive report | Local development and manual auditing | | json | Structured machine-readable data | Scripting and custom integrations | | sarif | Static Analysis Results Interchange Format | GitHub Code Scanning & IDE integrations |

Reporting Issues

We welcome feedback and bug reports. Please file an issue on the GitHub repository.

License

Apache-2.0

Quick Setup
Installation guide for this server

Install Package (if required)

npx @modelcontextprotocol/server-mcpaudit

Cursor configuration (mcp.json)

{ "mcpServers": { "volodymyrshk-mcpaudit": { "command": "npx", "args": [ "volodymyrshk-mcpaudit" ] } } }