{"slug": "snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means", "title": "Snyk scans your MCP servers by running them. Here is what that means.", "summary": "Snyk's agent-scan tool analyzes MCP servers by actually executing them from the user's configuration files, retrieving tool descriptions via the MCP protocol, and sending that data to a third-party API for analysis. This approach has raised security concerns because it runs potentially untrusted code before analysis, leading Snyk to add a consent flow and a `--dangerously-run-mcp-servers` flag for CI/CD environments. In contrast, the alternative tool Bawbel performs static analysis by reading configuration files without executing any servers, offering a trade-off where it cannot detect runtime-only malicious behaviors.", "body_md": "Snyk's agent-scan tool works by starting every MCP server it finds in your config and querying its tool descriptions. That is not a bug. It is the architecture. To retrieve tool descriptions from a stdio MCP server, you have to execute it. The tool does exactly what it says on the box.\n\nThe problem is the use case.\n\n## What agent-scan actually does\n\nWhen you run `snyk-agent-scan`\n\n, it reads your local MCP configuration files:\n\n`~/.cursor/mcp.json`\n\n, Claude Desktop config, Windsurf config, and others. For each server it finds, it executes the command array from the config, spins up the server, connects via the MCP protocol, retrieves tool descriptions, and ships that data to Invariant Labs' API at `invariantlabs.ai`\n\nfor analysis.\n\nOne developer confirmed this directly when the API returned a `429 Too Many Requests`\n\nresponse, which proved the scanner had executed the servers, connected to them, and transmitted their data off-machine without a prompt.\n\nSnyk has since added a consent flow that shows you the server name, command, and environment variables before execution. In CI/CD you bypass it entirely with `--dangerously-run-mcp-servers`\n\n.\n\nThe consent prompt is the right fix. But the architectural question is worth sitting with.\n\n## The fundamental tension\n\nHere is the thing: Snyk's approach is not wrong for what it is trying to do. If you want to check a server you already trust and have installed, executing it to retrieve tool descriptions is reasonable. That is not different from running a container to inspect its behavior.\n\nThe problem shows up at the edges:\n\n**Scanning an untrusted config.** The entire point of a security scanner is to tell you whether something is safe before you commit to running it. If the scanner starts the server to analyze it, and the server is malicious, the scanner has just executed the malicious payload. The command array in `mcp.json`\n\nis attacker-controlled content.\n\n**CI/CD pipelines.** The `--dangerously-run-mcp-servers`\n\nflag exists precisely because interactive consent prompts break automation. Any CI job that needs to scan MCP configs must bypass the consent flow entirely.\n\n**Data exfiltration.** Tool names, descriptions, and partial config are sent to a third-party API for analysis. In regulated environments, that is a compliance conversation. In any environment, it is a data residency question.\n\n## What Bawbel does differently\n\nBawbel never starts a server. It reads the file and analyzes the text.\n\n```\npip install bawbel-scanner\nbawbel scan ./my-skill.md       # reads the file, never executes it\nbawbel ssc https://server.io    # fetches .well-known/mcp.json, never starts it\n```\n\nThe trade-off is real: static analysis cannot detect runtime-only behaviors. A server that looks clean but phones home during execution will pass Bawbel and fail Snyk. Both things can be true at the same time.\n\nWhat static analysis can do:\n\n- Scan skill files, server manifests, and system prompts before they hit production\n- Run in CI/CD without executing any agent code\n- Work in air-gapped environments with no external API calls\n- Detect the 48 AVE attack classes across 121 detection rules\n- Produce SARIF output for GitHub Security tab integration\n\n## When to use which\n\nUse Snyk agent-scan when you want runtime behavioral analysis of servers you are already running locally. It is the right tool for auditing your current setup.\n\nUse Bawbel when you want to gate skill files and server manifests before deployment, scan in CI/CD without executing code, or work in environments where running untrusted code for analysis is not acceptable.\n\nThey cover different threat surfaces. The distinction matters.\n\n## The broader point\n\nThe MCP ecosystem is moving toward skill registries - shared repositories of agent capabilities, similar to npm or PyPI. When that happens at scale, the question of whether your scanner executes registry packages to analyze them becomes the same question the npm ecosystem has been answering since 2018.\n\nnpm had supply chain attacks where `install`\n\nhooks ran malicious code. The lesson was: never execute untrusted code as part of the analysis step.\n\nStatic analysis first. Dynamic analysis in a sandboxed, isolated environment with no network access. And always, explicitly, with consent.\n\n**Links**\n\n- Bawbel Scanner:\n[github.com/bawbel/scanner](https://github.com/bawbel/scanner) - Snyk agent-scan:\n[github.com/snyk/agent-scan](https://github.com/snyk/agent-scan) - AVE Standard:\n[github.com/bawbel/ave](https://github.com/bawbel/ave) - Original disclosure on dev.to:\n[Execute First, Ask Never](https://dev.to/pachilo/execute-first-ask-never-a-vulnerability-in-snyk-agent-scan-4plc)", "url": "https://wpnews.pro/news/snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means", "canonical_source": "https://dev.to/saray_chak/snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means-a4b", "published_at": "2026-05-20 14:00:00+00:00", "updated_at": "2026-05-20 14:03:09.184343+00:00", "lang": "en", "topics": ["cybersecurity", "developer-tools", "artificial-intelligence", "open-source", "products"], "entities": ["Snyk", "Invariant Labs", "Claude Desktop", "Windsurf", "MCP"], "alternates": {"html": "https://wpnews.pro/news/snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means", "markdown": "https://wpnews.pro/news/snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means.md", "text": "https://wpnews.pro/news/snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means.txt", "jsonld": "https://wpnews.pro/news/snyk-scans-your-mcp-servers-by-running-them-here-is-what-that-means.jsonld"}}