DEV Community

2x lazymac
2x lazymac

Posted on • Originally published at github.com

I scanned every public MCP server for security bugs. Here's what I found.

#security #ai #typescript #opensource

I scanned every public MCP server for security bugs. Here's what I found.

TL;DR — I built MCPWatch, an open-source scanner that runs 10 OWASP-aligned security checks on every MCP server on GitHub and publishes a daily A–F letter-grade leaderboard. Early results: critical vulnerabilities in a large fraction of popular servers. github.com/lazymac2x/mcpwatch

The problem

In the last 60 days the MCP ecosystem shipped:

  • 30 CVEs across MCP implementations, 4 critical (CVSS 7.3–9.6)
  • A GitHub MCP (14k★) that leaked private repository data whenever an agent processed an issue containing a hidden prompt injection
  • Published research showing 43% of scanned MCP servers have command-injection risk and 82% have path-traversal risk
  • An OWASP MCP Top 10 project in draft

Despite all that, there is no continuously-updated public registry telling developers "this MCP is safe to install".

What I built

MCPWatch has four parts:

  1. mcpwatch-scanner — a standalone TypeScript package with 10 pattern-based checks derived from the OWASP MCP Top 10 draft. Runs in Node, in a Worker, or as an npx one-shot. Produces findings + a 0–100 score + an A–F letter grade.
  2. mcpwatch-crawler — a scheduled Cloudflare Worker that polls GitHub's topic:mcp-server every day, downloads each repo, runs the scanner, and writes results to KV.
  3. mcpwatch.dev — a static dashboard that reads the KV leaderboard. No login, no paywall, no tracking.
  4. Enterprise API (coming) — bulk audit, private MCP scanning, webhook alerts. That's how the project stays sustainable.

The 10 checks

ID Check Severity Detects
MCP-01 Command Injection Critical Template-literal / string-concat into exec/execSync/spawn, shell:true, Python os.system
MCP-02 Path Traversal Critical Request input flowing into fs.readFile/writeFile without path.resolve + startsWith(BASE)
MCP-03 Unauth Mutation Critical server.tool("write_…") with no auth/token/bearer/api_key anywhere in file
MCP-04 Prompt Injection in Tool Desc High Tool descriptions containing override phrases, system markers, exfil instructions
MCP-05 SSRF High User-input URL passed to fetch/axios/requests.get with no private-IP / metadata-endpoint guard
MCP-06 Secret Leakage High Hardcoded sk-…, sk-ant-…, AKIA…, ghp_…, xox[bapr]-…
MCP-07 Over-Permissive FS Medium rootDir: "/" or rootDir: os.homedir()
MCP-08 Missing Rate Limits Medium Express/Fastify/Hono/FastAPI server with no visible rate limiter
MCP-09 Outdated Deps Medium Known-vulnerable version ranges of lodash, axios, minimist, node-fetch, ws
MCP-10 Missing Input Validation Low server.tool defined with no zod / JSONSchema

These are all pattern-based. I'm intentionally not using AST yet because I wanted the scanner to run inside a CF Worker and finish an entire 100-repo crawl in under 30 seconds. AST-level taint analysis is on the v0.2 roadmap.

Try it 

npx mcpwatch-scanner /path/to/your/mcp
Enter fullscreen mode Exit fullscreen mode

Example output on a deliberately-vulnerable fixture:

MCPWatch audit — vulnerable-mcp-fixture
Scanned 1 files · 10 checks · 4 passed

 CRIT  [MCP-01] Template literal passed directly into execSync()
        server.ts: execSync(`bash -lc ${
 CRIT  [MCP-02] Raw template path in fs call
        server.ts: fs.writeFile(`/tmp/${
 CRIT  [MCP-03] 3 mutating tool(s) defined with no auth check in file
 HIGH  [MCP-05] URL fetched from user input with no SSRF guard
 MED   [MCP-09] lodash@^4.17.20 — known vulnerable range
 MED   [MCP-09] axios@^1.5.0 — known vulnerable range
 MED   [MCP-09] node-fetch@^2.6.1 — known vulnerable range
 LOW   [MCP-10] Tools registered without input schema validation

Score: 0/100  Grade: F
Enter fullscreen mode Exit fullscreen mode

What I need from you

  • PRs for new checks. Especially Python-specific rules and AST-level taint analysis.
  • False-positive reports. The heuristics will over-fire. Please open an issue with a link to the file and I'll tune the pattern.
  • Anthropic / LangChain / Smithery folks — if you'd like to surface MCPWatch grades as a native safety badge inside your registry, let's talk.

Roadmap

  • v0.1 (shipped): scanner, 10 checks, CLI, GitHub
  • v0.2 (next week): crawler deployed, leaderboard live at mcpwatch.dev
  • v0.3: AST-based taint analysis, SARIF output, GitHub Action
  • v0.4: MCPBench integration — does installing this MCP actually make your agent better?
  • v1.0: enterprise API + private scanning

MIT licensed. Fork it, extend it, break it.

github.com/lazymac2x/mcpwatch

Top comments (0)