Inspect an MCP server for common security risks before you install it. Runs fully offline. No telemetry, no cloud upload, no account.
npx mcp-customs scan ./some-mcp-server
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
MCP-CUSTOMS INSPECTION REPORT
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
target ./some-mcp-server
files scanned 14
score 62 / 100
stamp [ REVIEW ]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[HIGH] MCP002 โ Unsanitized file path (possible path traversal)
server.js:41 return fs.readFileSync(userPath, 'utf8');
fix: Resolve the path against an allowed base directory ...
Developers install MCP servers the way they used to install npm packages โ quickly, trusting the name, and moving on. An MCP server can read your files, call your APIs, and execute commands on your behalf. Almost nobody checks what it can actually do before connecting it to their agent.
mcp-customs
is the "audit before install" step, run locally, in seconds.
| Rule | Severity | What it looks for |
|---|---|---|
| MCP001 | critical | Shell command execution with unsanitized interpolation |
| MCP002 | high | File reads/writes without a path-traversal guard |
| MCP003 | critical | eval() / dynamic code execution |
| MCP004 | high | Hardcoded API keys / credentials |
| MCP005 | critical | Tool descriptions containing hidden-instruction language (prompt injection via the tool's own metadata) |
| MCP006 | medium | Outbound network calls combined with environment-variable reads (possible exfiltration) |
| MCP007 | low | No permissions/scopes declared in the manifest |
These are heuristic, regex-based checks โ fast and fully auditable in one sitting, not a dataflow analysis. They will produce false positives and will miss things a deeper analysis would catch. Treat a CLEARED stamp as "nothing obvious," not "verified safe."
- run: npx mcp-customs scan . --sarif results.sarif --fail-on high
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
npx mcp-customs scan . --badge --name your-server-name
- Publish scan results to a public registry (mcp-customs.dev) with searchable trust scores
- Dynamic/sandboxed analysis (catch what static checks miss)
- Python-specific AST checks (current Python rules are regex-only)
- Community flagging / verification on registry entries
Apache-2.0. No open-core trap โ this CLI stays free either way. If a hosted registry/dashboard ships later, that's a separate paid product; this tool's local scanning will never require it.