Recently I scanned my own MCP config and it scored 0 out of 100. I wrote a small CLI for that. The problem with a CLI is friction: most people will not install something just to check.
So I rebuilt the same checks to run entirely in the browser. Paste your config, get a score and a list of fixes, and nothing leaves your machine.
Try it (no install, no signup): https://alih552.github.io/mcp-forge/scan.html
What it flags
The scanner reads a Claude Desktop, Cursor, or plain .mcp.json config and checks for:
- remote servers with no authentication
- cleartext http endpoints
- secrets pasted in plaintext (it knows the common token shapes)
- unpinned npx and uvx runners that fetch the newest package every launch
- over-broad filesystem roots like / or your home folder
- TLS verification turned off (NODE_TLS_REJECT_UNAUTHORIZED=0 and friends)
- servers bound to 0.0.0.0
- and it estimates how many context tokens your servers cost on every request
Each finding comes with the exact fix, and you get a score out of 100 grouped by risk class.
Why it runs client-side
A config can contain real secrets, so uploading it to a scanner would be its own security problem. The whole thing runs in JavaScript in your tab. The same checks are in the open source CLI if you prefer to run it locally or in CI: pipx install git+https://github.com/alih552/mcp-audit.
I would love to hear what score people get, and which checks you would add. What does your config say?
Top comments (1)
Your experience looks great. If you're a South African developer and open to remote international projects, I have an opportunity that might interest you. Feel free to message me if you'd like more details.
Thanks.