Show HN: Mcpaudit – static security scanner for MCP servers
Mcpaudit is a static security scanner designed for MCP servers, which allows users to check AI agent plugins for potential security risks. It analyzes the source code and settings of plugins without executing them, identifying dangerous patterns and providing concrete fixes. This tool aims to enhance security by enabling users to perform quick, offline checks before integrating third-party plugins into their AI systems.
- ▪Mcpaudit scans MCP server code for security vulnerabilities before they are used by AI agents.
- ▪The tool operates offline and requires no installation, setup, or internet connection.
- ▪It flags risky patterns in the code and provides recommendations for remediation.
Opening excerpt (first ~120 words) tap to expand
mcpaudit A quick security X-ray for AI agent plugins, to run before you plug one in. An MCP server (MCP = Model Context Protocol, the standard way to give an AI assistant new tools) is code you download and let an AI agent run. mcpaudit reads that code before you trust it and points out the dangerous bits — the quick safety check that doesn't really exist for these plugins yet. npx allenwu-blip/mcpaudit ./path-to-an-mcp-server No install, no setup, no API key, no internet needed. It reads the plugin's source code and its settings file and flags risky patterns, ranked by how bad they are, each with a concrete fix. It never runs the code it is checking — it only reads it.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.