MCP-customs: NPM audit, but for MCP servers

A new open-source CLI tool, mcp-customs, scans MCP servers for security risks before installation, running fully offline with no telemetry. It checks for issues like shell injection, path traversal, and hardcoded credentials, outputting a report with scores and severity levels. The tool aims to fill a gap in MCP server security auditing, similar to npm audit, and is available under Apache-2.0.

Inspect an MCP server for common security risks before you install it. Runs fully offline. No telemetry, no cloud upload, no account. npx mcp-customs scan ./some-mcp-server ────────────────────────────────────────────────────── MCP-CUSTOMS INSPECTION REPORT ────────────────────────────────────────────────────── target ./some-mcp-server files scanned 14 score 62 / 100 stamp REVIEW ────────────────────────────────────────────────────── HIGH MCP002 — Unsanitized file path possible path traversal server.js:41 return fs.readFileSync userPath, 'utf8' ; fix: Resolve the path against an allowed base directory ... Developers install MCP servers the way they used to install npm packages — quickly, trusting the name, and moving on. An MCP server can read your files, call your APIs, and execute commands on your behalf. Almost nobody checks what it can actually do before connecting it to their agent. mcp-customs is the "audit before install" step, run locally, in seconds. | Rule | Severity | What it looks for | |---|---|---| | MCP001 | critical | Shell command execution with unsanitized interpolation | | MCP002 | high | File reads/writes without a path-traversal guard | | MCP003 | critical | eval / dynamic code execution | | MCP004 | high | Hardcoded API keys / credentials | | MCP005 | critical | Tool descriptions containing hidden-instruction language prompt injection via the tool's own metadata | | MCP006 | medium | Outbound network calls combined with environment-variable reads possible exfiltration | | MCP007 | low | No permissions/scopes declared in the manifest | These are heuristic, regex-based checks — fast and fully auditable in one sitting, not a dataflow analysis. They will produce false positives and will miss things a deeper analysis would catch. Treat a CLEARED stamp as "nothing obvious," not "verified safe." .github/workflows/mcp-customs.yml - run: npx mcp-customs scan . --sarif results.sarif --fail-on high - uses: github/codeql-action/upload-sarif@v3 with: sarif file: results.sarif npx mcp-customs scan . --badge --name your-server-name - Publish scan results to a public registry mcp-customs.dev with searchable trust scores - Dynamic/sandboxed analysis catch what static checks miss - Python-specific AST checks current Python rules are regex-only - Community flagging / verification on registry entries Apache-2.0. No open-core trap — this CLI stays free either way. If a hosted registry/dashboard ships later, that's a separate paid product; this tool's local scanning will never require it.