Skip to content

Releases: BuildWithAbid/mcp-audit

v0.1.0 — Initial release

25 Apr 13:20
@BuildWithAbid BuildWithAbid
v0.1.0
ecefdaf

Choose a tag to compare

View all tags
v0.1.0 — Initial release Latest
Latest

First public release of mcp-audit — a Python security scanner for Model Context Protocol (MCP) servers.

Install

pip install mcp-audit

What it does

  • Connects to any MCP server (stdio or Streamable HTTP) using the official mcp Python SDK.
  • Enumerates the server's tools, resources, and prompts.
  • Runs 6 built-in rules against what it finds.
  • Emits a Markdown or JSON report.
  • Exits non-zero when findings exceed --fail-on (default high) — works in CI.

Rules

ID Severity What it catches
MCPA001 high Prompt-injection patterns in tool / resource / prompt descriptions
MCPA002 high Broad / unrestricted capabilities (shell exec, fs, network)
MCPA003 medium Tool input schemas lacking validation
MCPA004 high Tools or resources referencing env vars / ~/.aws / ~/.ssh / /etc/passwd
MCPA005 medium / variable Outbound data flow (telemetry, exfiltration language, hard-coded URLs)
MCPA006 low / variable Remote-server auth / scope hygiene

Full rationale and OWASP MCP Top 10 mapping in RULES.md.

Quickstart

mcp-audit scan -- python -m my_package.server
mcp-audit scan https://your-mcp-server.example/mcp
mcp-audit scan --json -o report.json -- npx -y @modelcontextprotocol/server-everything

Sister project

mcp-shield — same idea, in TypeScript / npm.

Assets 2
Loading