AI agents are executing code, reading files, and making API calls on your behalf every day. The tools they use — MCP servers — are the new attack surface nobody is talking about. Here's how we built a scanner to audit them automatically.
The Problem We Set Out to Solve
When you install an MCP server, you're giving an AI agent a new capability. That server might read your filesystem, execute shell commands, or call external APIs. But who audited that code before it ran on your machine?
Nobody. Until now.
At AgentAudit, we built an automated multi-agent pipeline that audits MCP servers, npm packages, pip packages, and AgentSkills — and flags security risks before your agent ever touches them.
The Architecture
Our audit pipeline runs three specialized sub-agents in parallel, each with a different security lens:
Agent 1: Static Analysis
Scans the source code for known vulnerability patterns:
- Unsanitized shell command injection (
child_process.execwith user input) - Hardcoded credentials and API keys
- Overly broad filesystem access permissions
- Insecure deserialization
Agent 2: Capability Graph Analysis
This is where we go beyond traditional scanners. We parse the MCP server's tool schema declarations — the JSON descriptions of what each tool can do — and cross-reference them against what the code actually does.
A weather MCP server that declares it only reads weather data but internally has access to your filesystem? That's a red flag. We catch that gap.
Agent 3: Dependency Chain Auditor
Recursively scans the dependency tree for:
- Known CVEs in transitive dependencies
- Packages with unusually broad permissions
- Supply chain anomalies (e.g., a package that changed maintainers 2 weeks ago)
Multi-Agent Consensus
Each agent produces a structured audit report. A consensus layer then:
- Deduplicates overlapping findings
- Assigns severity based on exploitability in an agent context
- Generates a Trust Score (0–100) for the package
Why multi-agent consensus? Because a single model hallucinates. Three models with different system prompts, cross-checking each other, don't.
The Results (So Far)
After running 211 independent audit reports across 194 packages:
| Severity | Count | % of Total |
|---|---|---|
| 🔴 Critical | 5 | 4.2% |
| 🟠 High | 9 | 7.6% |
| 🟡 Medium | 63 | 53.4% |
| 🟢 Low | 41 | 34.7% |
Average Trust Score: 98/100. The MCP ecosystem is mostly safe — but those 14 critical/high findings represent real, exploitable vulnerabilities.
The most common patterns:
- Shell command injection via prompt input — crafted prompts cause MCP servers to execute arbitrary shell commands
- Environment variable leakage — API keys accidentally included in LLM context windows
-
Overly broad filesystem access — servers requesting full
~/access when they need one directory
What Makes MCP Security Different
Traditional scanners (Snyk, Socket) are great for known CVEs and supply chain risks. But MCP servers introduce a different threat model:
- The attack vector is the prompt, not the network
- The "user" is an AI agent — it won't notice suspicious behavior
- The execution context is your local machine or production server
A package can pass every traditional security check and still be exploitable through adversarial prompts. That's the gap we're filling.
Try It
Audit any MCP server, npm package, or pip package at agentaudit.dev.
Full findings: State of MCP Security 2026
Every finding is cross-validated by three independent AI agents before it reaches you.
Top comments (0)