alvabillwu

🛡️ mcp-guard

Community alvabillwu
Updated

🛡️ Security scanner for MCP server tool manifests — detect dangerous capabilities before you connect

🛡️ mcp-guard

npmnpm downloadsLicenseNodeCI

Security scanner for MCP server tool manifests. Audit any MCP server's tools/list response for dangerous capabilities before you connect it to your AI agent.

In 2026, 30+ MCP-related CVEs were filed including a 9.6 CVSS RCE. Only 12.9% of public MCP servers score "high trust." Tool poisoning — malicious tool descriptions injecting hidden directives — is now a recognized structural vulnerability. mcp-guard gives you an npm audit-like experience for the MCP ecosystem.

Complements ai-supply-guard (npm dependency audit) and agentguard (shell command safety gate).

Why mcp-guard?

  • MCP servers have privileges — they can read/write files, execute commands, access the network. Before you connect one to your AI agent, know what it can do.
  • One command, instant auditmcp-guard scan gives you a risk score, per-tool verdicts, and actionable details. No config needed.
  • CI-native — fail builds on dangerous tools. 10 configurable security rules with scoring and policy presets.
  • Zero dependencies — pure Node.js stdlib. Nothing to install, nothing to trust.

Features

  • 🔍 10 security rules covering shell exec, filesystem, network, secrets, database, auth, command injection, sensitive paths
  • 📊 Risk scoring — per-tool risk score (0–100) with safe/caution/dangerous verdicts
  • ⚙️ Configurable policies — presets (default/strict/permissive), rule disabling, tool allowlisting, custom thresholds
  • 🎨 CLI + programmatic API — human-readable table or JSON output
  • CI-ready — exits non-zero on dangerous tools
  • 🚫 Zero runtime dependencies — pure Node.js stdlib

Quick Start

npm install -g mcp-guard

Usage

CLI

# Scan a tools/list manifest
mcp-guard scan manifest.json

# Pipe from an MCP probe
mcp-probe tools my-server | jq '{tools: .}' | mcp-guard scan --stdin

# JSON output for CI
mcp-guard scan manifest.json --json

# Strict mode (lower thresholds)
mcp-guard scan manifest.json --preset strict

# Allowlist trusted tools
mcp-guard scan manifest.json --allowlist safe_tool --allowlist makeCoffee

# Disable a specific rule
mcp-guard scan manifest.json --disable sensitive-paths

# List rules and presets
mcp-guard rules
mcp-guard presets

Output:

mcp-guard — DANGEROUS  5 tools, 2 safe, 1 caution, 2 dangerous  risk: 52/100

  ✓ hello                       0
  ✓ get_time                    0
  ⚠ read_file                  10 ██
  ✗ write_file                 20 ████
  ✗ execute_command            35 ███████

Details:

  read_file (risk: 10)
    [MED ] fs_read            Tool reads arbitrary files — potential data exfiltration risk

  write_file (risk: 20)
    [HIGH] fs_write           Tool writes files to arbitrary locations

  execute_command (risk: 35)
    [CRIT] shell_exec         Tool executes arbitrary system commands

Programmatic API

import { scanTool, scanManifest, loadPreset } from "mcp-guard";

// Scan a single tool
const result = scanTool({
  name: "execute_command",
  description: "Execute arbitrary shell commands",
});
console.log(result.verdict); // "dangerous"
console.log(result.riskScore); // 35

// Scan a full manifest
const report = scanManifest(
  { tools: [...] },
  loadPreset("strict"),
);
console.log(report.overallVerdict);
console.log(report.summary);

Manifest Format

mcp-guard expects the standard MCP tools/list response:

{
  "tools": [
    {
      "name": "read_file",
      "description": "Read a file from the filesystem",
      "inputSchema": {
        "type": "object",
        "properties": {
          "path": {
            "type": "string",
            "description": "Path to the file"
          }
        }
      }
    }
  ]
}

Security Rules

Rule Category Severity Score
shell-exec Shell Execution critical 35
command-injection Command Injection high 25
fs-delete Filesystem Delete critical 30
fs-write Filesystem Write high 20
secrets-access Secrets Access high 20
sensitive-paths Sensitive Paths high 18
network-access Network Access high 15
database-write Database Write high 15
auth-token Authentication medium 10
fs-read Filesystem Read medium 10

Policy Presets

Preset Danger ≥ Caution ≥ Notes
default 50 20 Balanced for most MCP servers
strict 30 10 Conservative — flags more tools
permissive 70 40 Relaxed — disables fs-read, sensitive-paths

Development

git clone https://github.com/alvabillwu/mcp-guard.git
cd mcp-guard
npm install
npm test
npm run build

🔗 Ecosystem

Part of the alvabillwu AI/LLM DevTools suite:

License

MIT © alvabillwu

Like this? Star the repo to support MCP security tooling!

MCP Server · Populars

MCP Server · New

    cbtw-apac

    QDrant Loader

    Enterprise-ready vector database toolkit for building searchable knowledge bases from multiple data sources. Supports multi-project management, automatic ingestion from Confluence/JIRA/Git, intelligent file conversion (PDF/Office/images), and semantic search. Includes MCP server for seamless AI assistant integration.

    Community cbtw-apac
    aks129

    HealthClaw Guardrails

    Open-source guardrails between AI agents and FHIR clinical data — PHI redaction, immutable audit, step-up auth, tenant isolation. MCP server + OpenAI/Gemini adapters. A healthclaw.io project.

    Community aks129
    opentargets

    Open Targets Platform MCP

    Official MCP server implementation for accessing Open Targets Data

    Community opentargets
    longsizhuo

    openInvest

    基于multiple LLM的风险投资助手

    Community longsizhuo
    CCCpan

    Gebaini

    中国数据核验 MCP Server | 身份核验/企业查询/车辆信息/OCR识别/风险评估 | 10个Tool覆盖5大类 | 微信: chenganp | 邮箱: [email protected]

    Community CCCpan