{"slug": "mcp-customs-npm-audit-but-for-mcp-servers", "title": "MCP-customs: NPM audit, but for MCP servers", "summary": "A new open-source CLI tool, mcp-customs, scans MCP servers for security risks before installation, running fully offline with no telemetry. It checks for issues like shell injection, path traversal, and hardcoded credentials, outputting a report with scores and severity levels. The tool aims to fill a gap in MCP server security auditing, similar to npm audit, and is available under Apache-2.0.", "body_md": "Inspect an MCP server for common security risks **before** you install it.\nRuns fully offline. No telemetry, no cloud upload, no account.\n\n```\nnpx mcp-customs scan ./some-mcp-server\n──────────────────────────────────────────────────────\nMCP-CUSTOMS INSPECTION REPORT\n──────────────────────────────────────────────────────\ntarget        ./some-mcp-server\nfiles scanned 14\nscore         62 / 100\nstamp         [ REVIEW ]\n──────────────────────────────────────────────────────\n[HIGH] MCP002 — Unsanitized file path (possible path traversal)\n  server.js:41  return fs.readFileSync(userPath, 'utf8');\n  fix: Resolve the path against an allowed base directory ...\n```\n\nDevelopers install MCP servers the way they used to install npm packages — quickly, trusting the name, and moving on. An MCP server can read your files, call your APIs, and execute commands on your behalf. Almost nobody checks what it can actually do before connecting it to their agent.\n\n`mcp-customs`\n\nis the \"audit before install\" step, run locally, in seconds.\n\n| Rule | Severity | What it looks for |\n|---|---|---|\n| MCP001 | critical | Shell command execution with unsanitized interpolation |\n| MCP002 | high | File reads/writes without a path-traversal guard |\n| MCP003 | critical | `eval()` / dynamic code execution |\n| MCP004 | high | Hardcoded API keys / credentials |\n| MCP005 | critical | Tool descriptions containing hidden-instruction language (prompt injection via the tool's own metadata) |\n| MCP006 | medium | Outbound network calls combined with environment-variable reads (possible exfiltration) |\n| MCP007 | low | No permissions/scopes declared in the manifest |\n\nThese are heuristic, regex-based checks — fast and fully auditable in one sitting, not a dataflow analysis. They will produce false positives and will miss things a deeper analysis would catch. Treat a CLEARED stamp as \"nothing obvious,\" not \"verified safe.\"\n\n```\n# .github/workflows/mcp-customs.yml\n- run: npx mcp-customs scan . --sarif results.sarif --fail-on high\n- uses: github/codeql-action/upload-sarif@v3\n  with:\n    sarif_file: results.sarif\nnpx mcp-customs scan . --badge --name your-server-name\n```\n\n- Publish scan results to a public registry (mcp-customs.dev) with searchable trust scores\n- Dynamic/sandboxed analysis (catch what static checks miss)\n- Python-specific AST checks (current Python rules are regex-only)\n- Community flagging / verification on registry entries\n\nApache-2.0. No open-core trap — this CLI stays free either way. If a hosted registry/dashboard ships later, that's a separate paid product; this tool's local scanning will never require it.", "url": "https://wpnews.pro/news/mcp-customs-npm-audit-but-for-mcp-servers", "canonical_source": "https://github.com/mcpcustoms/mcp-customs", "published_at": "2026-06-18 13:10:23+00:00", "updated_at": "2026-06-18 13:23:56.585574+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "developer-tools"], "entities": ["mcp-customs", "MCP", "npm", "Apache-2.0", "GitHub", "CodeQL"], "alternates": {"html": "https://wpnews.pro/news/mcp-customs-npm-audit-but-for-mcp-servers", "markdown": "https://wpnews.pro/news/mcp-customs-npm-audit-but-for-mcp-servers.md", "text": "https://wpnews.pro/news/mcp-customs-npm-audit-but-for-mcp-servers.txt", "jsonld": "https://wpnews.pro/news/mcp-customs-npm-audit-but-for-mcp-servers.jsonld"}}