razashariff

Posted on Mar 15

We Built the First OWASP Security Scanner for MCP Servers and AI Agents

razashariff · 2026-03-15T17:09:52Z

TL;DR npx mcps-audit ./your-mcp-server Enter fullscreen mode Exit fullscreen mode One command. Zero dependencies to install. Scans your MCP server or AI agent code against OWASP MCP Top 10 + OWASP Agentic AI Top 10 . Generates a professional PDF report with findings, risk scores, and remediation steps. npm : mcps-audit | GitHub : razashariff/mcps-audit | Web : agentsign.dev/scan The Problem MCP (Model Context Protocol) is becoming the standard for connecting AI agents to tools and data sources. Anthropic, OpenAI, Google, Microsoft, and dozens of frameworks now support it. But here's the thing: nobody is scanning MCP servers for security vulnerabilities. Traditional security scanners don't understand MCP-specific risks: Tool poisoning (MCP-03) Rug pulls via tool redefinition (MCP-04) Unsigned JSON-RPC messages (MCP-06) Missing server authentication (MCP-07) No audit logging (MCP-08) These are real attack vectors. The OWASP MCP Top 10 was published specifically because the ecosystem needed a threat model. What mcps-audit Does OWASP MCP Top 10 Compliance Matrix For each of the 10 MCP-specific risks, the scanner checks your code for vulnerable patterns AND whether mitigations are present: Risk Description What We Check MCP-01 Excessive Agency Bearer tokens, API key headers without passport identity MCP-03 Tool Poisoning Tool definitions without integrity signing MCP-04 Rug Pull Dynamic imports without signed tool verification MCP-06 Indirect Prompt Injection JSON-RPC calls without message signing MCP-07 Authentication Bypass Server endpoints without passport verification MCP-08 Logging Failures Request handling without audit trail MCP-09 MitM / Spoofing Remote connections without origin validation MCP-10 Context Poisoning Prompt concatenation without envelope isolation Each risk gets a PASS , FAIL , or WARN status. OWASP Agentic AI Top 10 Rules 12 code-level security rules covering the broader agentic AI attack surface: Rule OWASP Severity What It Catches AS-001 AA-03 CRITICAL exec(), eval(), subprocess -- command injection AS-002 AA-05 HIGH Hardcoded API keys, tokens, secrets AS-003 AA-04 MEDIUM Excessive permissions (admin, sudo, wildcards) AS-004 AA-02 HIGH Prompt injection patterns AS-005 AA-02 CRITICAL Known injection payloads (DROP TABLE, rm -rf) AS-006 AA-09 HIGH Missing sandboxing / containerization AS-007 AA-06 LOW Supply chain risk (no lockfile) AS-008 AA-01 HIGH Excessive agency (auto_approve, no human-in-loop) AS-009 AA-07 MEDIUM Unsafe output handling (innerHTML, dangerouslySetInnerHTML) AS-010 AA-08 MEDIUM Insufficient logging AS-011 AA-10 HIGH Data exfiltration patterns AS-012 MCP-07 HIGH No authentication on MCP endpoints The PDF Report The generated PDF includes: Cover page with scan metadata Executive summary with verdict (PASS/WARN/FAIL) and risk score "Without MCPS vs With MCPS" comparison showing risk reduction OWASP MCP Top 10 compliance matrix OWASP Agentic AI compliance matrix Detailed findings with file paths, line numbers, code snippets Remediation checklist prioritized by severity Download a sample report to see what it looks like. Tested Against Real Frameworks We scanned every major AI agent framework and MCP server implementation: Framework Findings Verdict Notable CrewAI 89 FAIL Prompt injection patterns, excessive agency LangGraph 47 FAIL Dynamic code execution, missing sandboxing Pydantic AI 113 FAIL eval() usage, hardcoded credentials in examples MCP Filesystem Server 6 WARN Path traversal surface, no auth MCP Fetch Server 4 WARN SSRF surface, no origin validation MCP Memory Server 3 PASS Minimal attack surface MCPS SDK 15 FAIL Test files contain deliberate attack patterns (proves scanner works!) The irony of MCPS (our own SDK) failing its own scanner? That's because our test fixtures deliberately include vulnerable patterns. It proves the tool isn't rigged. Part of the MCPS Ecosystem mcps-audit is the testing tool in a complete security ecosystem for MCP: Standard : MCPS IETF Internet-Draft -- the cryptographic security spec SDK : mcp-secure (npm) / langchain-mcps (PyPI) -- implementation Tester : mcps-audit (this tool) -- OWASP compliance scanning Platform : AgentSign -- zero trust engine for AI agents The scanner shows a "Without MCPS vs With MCPS" comparison. For findings that MCPS can address (authentication, signing, audit logging), it calculates the risk reduction you'd get by adopting the SDK. Usage # Scan current directory npx mcps-audit # Scan a specific path with custom output npx mcps-audit ./my-mcp-server -o security-report.pdf --name "My MCP Server" # Only show HIGH and CRITICAL findings npx mcps-audit ./src --severity HIGH # JSON output for CI/CD integration npx mcps-audit ./src --json Enter fullscreen mode Exit fullscreen mode CI/CD Integration # GitHub Actions - name : MCP Security Scan run : npx mcps-audit ./src --severity HIGH --json Enter fullscreen mode Exit fullscreen mode There's also a GitHub Action for automated scanning on every PR. Technical Details Runtime : Node.js >= 18 Dependencies : Just pdfkit (for PDF generation). Zero other deps. Scan scope : .js, .ts, .py, .json, .mjs, .cjs files Limits : 500 files max, 100KB per file (configurable) Speed : Scans most projects in under 2 seconds Output : Terminal summary + PDF report The scanner uses pattern matching with context-aware heuristics. It understands MCP-specific patterns (tool definitions, JSON-RPC handlers, passport verification) and maps them to both OWASP frameworks. What's Next More language support (Go, Rust, Java) Custom rule definitions SARIF output for IDE integration Baseline/diff mode for tracking improvements over time Try It npx mcps-audit ./your-project Enter fullscreen mode Exit fullscreen mode Takes 2 seconds. Might save you from a very bad day. Links : npm: mcps-audit GitHub: razashariff/mcps-audit Web: agentsign.dev/scan Sample Report: PDF MCPS Standard: IETF Datatracker OWASP MCP Top 10: owasp.org

#security #ai #showdev #mcp

TL;DR

npx mcps-audit ./your-mcp-server

One command. Zero dependencies to install. Scans your MCP server or AI agent code against OWASP MCP Top 10 + OWASP Agentic AI Top 10. Generates a professional PDF report with findings, risk scores, and remediation steps.

npm: mcps-audit | GitHub: razashariff/mcps-audit | Web: agentsign.dev/scan

The Problem

MCP (Model Context Protocol) is becoming the standard for connecting AI agents to tools and data sources. Anthropic, OpenAI, Google, Microsoft, and dozens of frameworks now support it.

But here's the thing: nobody is scanning MCP servers for security vulnerabilities.

Traditional security scanners don't understand MCP-specific risks:

Tool poisoning (MCP-03)
Rug pulls via tool redefinition (MCP-04)
Unsigned JSON-RPC messages (MCP-06)
Missing server authentication (MCP-07)
No audit logging (MCP-08)

These are real attack vectors. The OWASP MCP Top 10 was published specifically because the ecosystem needed a threat model.

What mcps-audit Does

OWASP MCP Top 10 Compliance Matrix

For each of the 10 MCP-specific risks, the scanner checks your code for vulnerable patterns AND whether mitigations are present:

Risk	Description	What We Check
MCP-01	Excessive Agency	Bearer tokens, API key headers without passport identity
MCP-03	Tool Poisoning	Tool definitions without integrity signing
MCP-04	Rug Pull	Dynamic imports without signed tool verification
MCP-06	Indirect Prompt Injection	JSON-RPC calls without message signing
MCP-07	Authentication Bypass	Server endpoints without passport verification
MCP-08	Logging Failures	Request handling without audit trail
MCP-09	MitM / Spoofing	Remote connections without origin validation
MCP-10	Context Poisoning	Prompt concatenation without envelope isolation

Each risk gets a PASS, FAIL, or WARN status.

OWASP Agentic AI Top 10 Rules

12 code-level security rules covering the broader agentic AI attack surface:

Rule	OWASP	Severity	What It Catches
AS-001	AA-03	CRITICAL	exec(), eval(), subprocess -- command injection
AS-002	AA-05	HIGH	Hardcoded API keys, tokens, secrets
AS-003	AA-04	MEDIUM	Excessive permissions (admin, sudo, wildcards)
AS-004	AA-02	HIGH	Prompt injection patterns
AS-005	AA-02	CRITICAL	Known injection payloads (DROP TABLE, rm -rf)
AS-006	AA-09	HIGH	Missing sandboxing / containerization
AS-007	AA-06	LOW	Supply chain risk (no lockfile)
AS-008	AA-01	HIGH	Excessive agency (auto_approve, no human-in-loop)
AS-009	AA-07	MEDIUM	Unsafe output handling (innerHTML, dangerouslySetInnerHTML)
AS-010	AA-08	MEDIUM	Insufficient logging
AS-011	AA-10	HIGH	Data exfiltration patterns
AS-012	MCP-07	HIGH	No authentication on MCP endpoints

The PDF Report

The generated PDF includes:

Cover page with scan metadata
Executive summary with verdict (PASS/WARN/FAIL) and risk score
"Without MCPS vs With MCPS" comparison showing risk reduction
OWASP MCP Top 10 compliance matrix
OWASP Agentic AI compliance matrix
Detailed findings with file paths, line numbers, code snippets
Remediation checklist prioritized by severity

Download a sample report to see what it looks like.

Tested Against Real Frameworks

We scanned every major AI agent framework and MCP server implementation:

Framework	Findings	Verdict	Notable
CrewAI	89	FAIL	Prompt injection patterns, excessive agency
LangGraph	47	FAIL	Dynamic code execution, missing sandboxing
Pydantic AI	113	FAIL	eval() usage, hardcoded credentials in examples
MCP Filesystem Server	6	WARN	Path traversal surface, no auth
MCP Fetch Server	4	WARN	SSRF surface, no origin validation
MCP Memory Server	3	PASS	Minimal attack surface
MCPS SDK	15	FAIL	Test files contain deliberate attack patterns (proves scanner works!)

The irony of MCPS (our own SDK) failing its own scanner? That's because our test fixtures deliberately include vulnerable patterns. It proves the tool isn't rigged.

Part of the MCPS Ecosystem

mcps-audit is the testing tool in a complete security ecosystem for MCP:

Standard: MCPS IETF Internet-Draft -- the cryptographic security spec
SDK: mcp-secure (npm) / langchain-mcps (PyPI) -- implementation
Tester: mcps-audit (this tool) -- OWASP compliance scanning
Platform: AgentSign -- zero trust engine for AI agents

The scanner shows a "Without MCPS vs With MCPS" comparison. For findings that MCPS can address (authentication, signing, audit logging), it calculates the risk reduction you'd get by adopting the SDK.

Usage

# Scan current directory
npx mcps-audit

# Scan a specific path with custom output
npx mcps-audit ./my-mcp-server -o security-report.pdf --name "My MCP Server"

# Only show HIGH and CRITICAL findings
npx mcps-audit ./src --severity HIGH

# JSON output for CI/CD integration
npx mcps-audit ./src --json

CI/CD Integration

# GitHub Actions
- name: MCP Security Scan
  run: npx mcps-audit ./src --severity HIGH --json

There's also a GitHub Action for automated scanning on every PR.

Technical Details

Runtime: Node.js >= 18
Dependencies: Just pdfkit (for PDF generation). Zero other deps.
Scan scope: .js, .ts, .py, .json, .mjs, .cjs files
Limits: 500 files max, 100KB per file (configurable)
Speed: Scans most projects in under 2 seconds
Output: Terminal summary + PDF report

The scanner uses pattern matching with context-aware heuristics. It understands MCP-specific patterns (tool definitions, JSON-RPC handlers, passport verification) and maps them to both OWASP frameworks.

What's Next

More language support (Go, Rust, Java)
Custom rule definitions
SARIF output for IDE integration
Baseline/diff mode for tracking improvements over time

Try It

npx mcps-audit ./your-project

Takes 2 seconds. Might save you from a very bad day.

Links:

npm: mcps-audit
GitHub: razashariff/mcps-audit
Web: agentsign.dev/scan
Sample Report: PDF
MCPS Standard: IETF Datatracker
OWASP MCP Top 10: owasp.org

Top comments (1)

Zac • Mar 16

Good timing on this. One thing I noticed building MCP servers: the security issues compound when the server is used by an autonomous agent rather than a human-in-the-loop setup. A human can catch a suspicious tool call; an agent just executes it.

The prompt injection vector (OWASP MCP #1) is the one that keeps me up. I started requiring all tool descriptions and responses to be treated as untrusted input by default in my system prompt -- anything that tells the agent to ignore previous instructions or take actions outside its current task gets flagged.

Built a TypeScript MCP starter kit (builtbyzac.com/store.html) that includes the security scaffolding as a baseline -- structured error responses, input validation, rate limiting. A scanner like yours would be a good complement to verify the output is actually clean.