MCPhound

The most comprehensive MCP security scanner. One command finds cross-server attack paths, tool poisoning, typosquats, CVEs, trust issues, and supply chain risks in your AI tool configuration.

npx mcphound

Zero install. Auto-detects Claude Desktop, Cursor, and VS Code configs.

What is MCPhound?

When you use AI assistants like Claude or Cursor, they connect to MCP servers — plugins that give the AI abilities like reading files, browsing the web, sending emails, or accessing databases.

The problem: when you install multiple MCP servers together, they create attack paths no individual server scanner catches. If one server reads your files and another sends HTTP requests, an attacker (or a tricked AI) can read your SSH keys and exfiltrate them. Neither server is "malicious" — the danger is in the combination.

MCPhound is the only tool that builds a graph of all your MCP servers and finds these cross-server attack chains. With v3, it also inspects each server individually for tool poisoning, typosquatting, known vulnerabilities, behavioral mismatches, and supply chain tampering.

One npx mcphound run produces more signal than running Snyk + MCPShield + Enkrypt combined.

What MCPhound Detects

Cross-Server Attack Paths (Unique to MCPhound)

MCPhound builds a NetworkX graph of your servers, their capabilities, and how they interact through the AI host. It then runs 16 attack patterns to find multi-hop chains:

| Attack | Example | Severity | |--------|---------|----------| | Data Exfiltration | filesystem + fetch = SSH keys sent to attacker | Critical | | Shell via Git | filesystem + git = arbitrary code execution via .gitattributes | Critical | | Memory Poisoning | fetch + memory = permanent backdoor in AI memory | High | | Credential Theft | cloud + network = AWS keys exfiltrated | Critical |

Tool Poisoning Detection (10 Patterns)

Attackers hide malicious instructions inside tool descriptions that get fed to the AI. MCPhound scans every description with 10 compiled regex patterns — deterministic, no LLM needed:

| Pattern | What It Catches | Severity | |---------|----------------|----------| | POISON-IGNORE-PREV | "Ignore all previous instructions" | Critical | | POISON-DO-NOT-TELL | "Do not tell the user" | Critical | | POISON-OVERRIDE | "Override your safety/restrictions" | Critical | | POISON-EXFIL-INSTRUCT | "Send data to https://evil.com" | Critical | | POISON-BASE64 | Long encoded payloads hidden in descriptions | High | | POISON-UNICODE-TRICK | Invisible zero-width characters | High | | POISON-CROSS-TOOL | "When using X, also call Y" | High | | POISON-SYSTEM-PROMPT | "You are a..." system prompt injection | High | | POISON-TOOL-REDIRECT | "Instead use this other tool" | High | | POISON-EXCESSIVE-WS | Hidden content in whitespace | Medium |

Typosquat Detection

Catches packages with names suspiciously close to legitimate ones using Levenshtein distance. @modelcontextprotocol/server-filesystm (missing an 'e') gets flagged immediately. Also detects missing-hyphen tricks like mcpserverfetch vs mcp-server-fetch.

Behavioral Mismatch Detection

Compares what a server says it does vs what it can actually do:

• No description — The AI can't assess a tool before calling it. Opaque = dangerous.
• Excessive description (>2000 chars) — Large prompt injection surface area.
• Capability mismatch — Server has shell_exec capability but no tool mentions "shell" or "exec".

Trust Scoring & CVE Enrichment

For each server, MCPhound looks up:

• Trust score (0-100) — Package age, downloads, CVE count, maintainer count, Smithery verification.
• CVE count — Known vulnerabilities from OSV.dev.
• Trust labels — Trusted (90+), Established (70-89), Unknown (40-69), Suspicious (0-39).

Rug-Pull Detection (Tool Pinning)

MCPhound hashes each server's tool definitions. On subsequent scans, if a package's tools change, you get a Critical warning — the package may have been compromised (supply chain attack).

Security Grade (A-F)

A single letter summarizing your MCP security posture:

| Grade | Score | Meaning | |-------|-------|---------| | A | 90-100 | Clean — minimal risk | | B | 75-89 | Good — minor issues | | C | 55-74 | Fair — notable risks | | D | 35-54 | Poor — significant exposure | | F | 0-34 | Failing — critical issues |

Calculated from: attack path severities + warning severities + CVE counts.

Installation & Usage

CLI (Recommended)

# Scan your config (auto-detects Claude Desktop, Cursor, VS Code)
npx mcphound

# Specify a config file
npx mcphound --config ~/.cursor/mcp.json

# JSON output
npx mcphound --format json

# SARIF output (for GitHub Code Scanning)
npx mcphound --format sarif

# CI mode — exit code 1 on critical/high findings or warnings
npx mcphound --ci

Example Output

  MCPhound — MCP Config Security Scanner

  Scanning: /Users/you/Library/Application Support/Claude/claude_desktop_config.json
  Found: 4 servers

  Analyzing cross-server attack paths...

  Security Grade: C

  Servers:
    filesystem [Official] (score: 92)
    fetch [Official] (score: 88)
    memory [Community] (score: 45)
    sketchy-tool [Suspicious] (score: 12) 2 CVEs

  Warnings:
  CRITICAL  Instruction override attempt in tool 'hidden_cmd'
  sketchy-tool  Tool description contains suspicious pattern: POISON-OVERRIDE
  Fix: Inspect tool 'hidden_cmd' in server 'sketchy-tool'.

  HIGH      Possible typosquat of 'mcp-server-fetch'
  sketchy-tool  Package 'mcp-server-fech' is 1 edit away from 'mcp-server-fetch'.
  Fix: Verify package name is correct.

  Attack Paths:
  CRITICAL  EXFIL-01  Data Exfiltration Via Network
  filesystem → [host relay] → fetch
  A prompt injection in any visited page tells Claude to read ~/.ssh/id_rsa
  and POST it to an attacker-controlled endpoint.
  Fix: Review or restrict capabilities of 'filesystem'

  2 critical · 1 high · 2 warnings

  Deep analysis: https://mcphound.ai

Web UI

Visit mcphound.ai to paste your config and get a visual scan with attack graph, chokepoints, and remediation plan.

GitHub Actions

Add MCPhound to your CI pipeline to block PRs that introduce risky MCP configurations:

name: MCP Security
on: [push, pull_request]

jobs:
  mcp-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: MCPhound Security Scan
        uses: tayler-id/mcphound-action@v0
        with:
          api_token: ${{ secrets.MCPHOUND_API_TOKEN }}

Get your API token at mcphound.ai/ci/setup.

The action:

• Auto-detects MCP config files in your repo
• Fails the check on critical/high attack paths or warnings
• Posts a summary comment on PRs with grade, findings, and warnings
• Uploads SARIF results to GitHub Code Scanning (if enabled)

How It Works

1. Parse — Reads your mcpServers config, resolves package names, strips secrets.
2. Tag — Auto-detects each server's capabilities (file read, network, shell exec, etc.) using a 4-layer tagger: known servers → regex rules → tool keyword matching → schema analysis.
3. Check — Runs 10 tool poisoning patterns, typosquat detection, and behavioral mismatch analysis on every server.
4. Enrich — Async trust score + CVE lookup from npm/PyPI registries and OSV.dev (3s timeout, best-effort).
5. Graph — Builds a NetworkX directed multigraph with friction-based edge weights. Servers are nodes, capabilities are edges, the AI host is the relay.
6. Analyze — Runs 16 attack patterns against the graph to find multi-hop attack chains. Scores each path by (1 - min_friction) * hop_decay.
7. Remediate — Greedy minimum hitting set algorithm finds the smallest set of config changes to sever the most attack paths.
8. Grade — Computes A-F score from attack path severities + warnings + CVEs.

Architecture

┌─────────────┐     ┌──────────────────────────┐     ┌────────────┐
│  npx mcphound│────▶│  MCPhound API (FastAPI)   │────▶│ PostgreSQL │
│  (Node.js)  │◀────│  - analysis_core.py       │     │  (Fly.io)  │
└─────────────┘     │  - security_checks.py     │     └────────────┘
                    │  - scan_orchestrator.py    │
┌─────────────┐     │  - trust_score.py         │
│  mcphound.ai│────▶│  - graph_builder.py       │
│  (Next.js)  │◀────│  - path_analyzer.py       │
└─────────────┘     └──────────────────────────┘

• Backend: FastAPI + SQLAlchemy 2.0 (async) + PostgreSQL + Alembic
• Frontend: Next.js 14 + React 18 + TypeScript + Tailwind CSS v4 + Cytoscape.js
• CLI: Pure Node.js, zero dependencies
• Analysis: Pure Python, DB-free, deterministic — identical input always produces identical output

Competitive Comparison

| Capability | Snyk/mcp-scan | MCPShield | Enkrypt | Cisco | MCPhound | |:-----------|:---:|:---:|:---:|:---:|:---:| | Cross-server attack paths | | | | | Yes | | Tool poisoning detection | LLM-based | | | | Regex | | Typosquat detection | | Yes | | | Yes | | CVE per server | | | Yes | | Yes | | Behavioral mismatch | | | | Code analysis | Yes | | Trust scoring | | | | | Yes | | Rug-pull detection | LLM-based | | | | Hash-based | | Security grade (A-F) | | | | | Yes | | Remediation plan | | | | | Yes | | SARIF / GitHub Actions | Yes | | | | Yes | | Single-command CLI | Yes | | | | Yes | | No LLM required | | | | | Yes |

API Endpoints

| Method | Endpoint | Auth | Description | |--------|----------|------|-------------| | POST | /api/v1/scan/quick | None (rate limited) | Quick scan from CLI | | GET | /api/v1/feeds/security-digest | None | Aggregated threat intelligence (last 7 days) | | POST | /api/v1/scan | Token | Create scan via web UI | | POST | /api/v1/scan/{id}/run-full | Token | Run full analysis pipeline | | GET | /api/v1/scan/{id}/summary | None | Public scan summary | | GET | /api/v1/scan/{id}/badge.svg | None | README badge | | POST | /api/v1/ci/scan | CI Token | CI pipeline scan | | GET | /api/v1/health | None | Health check |

Development

Prerequisites

• Docker Desktop (recommended) — or local PostgreSQL 16 + Node.js 20 + Python 3.12

Quick Start

docker-compose up

• API: http://127.0.0.1:8000/api/v1/health
• Dashboard: http://127.0.0.1:3000

Running Tests

# Backend
cd backend && python3 -m pytest tests/ -v

# Security check tests
cd backend && python3 -m pytest tests/test_security_checks.py -v

# Quick scan tests
cd backend && python3 -m pytest tests/test_quick_scan.py -v

# CLI tests
cd cli && node --test tests/*.test.js

Deploying

# Backend (Fly.io)
cd backend && fly deploy --app mcphound-api

# CLI (npm)
cd cli && npm publish

# Frontend (Vercel / your host)
cd frontend && npm run build

License

MIT

Built by MCPhound. Securing AI toolchains, one config at a time.