MCPScan
harikrishn4101/MCPScanOffensive MCP server security auditor — enumerate tools, detect poisoning, credential leakage, RCE vectors, and supply chain vulnerabilities
Do not install this package
We found dangerous patterns that could harm your computer or steal your data. This package tries to access your SSH keys and credentials. Unless you are 100% sure you trust the author and have reviewed the code yourself, do not install this.
What We Found(12 issues)
Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.
Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.
Technical details
eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.
eval(Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.
Technical details
eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.
eval(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
spawn(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
execSync(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
exec(Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.
Technical details
Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.
execSync(DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.
Technical details
Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.
~/.sshDO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.
Technical details
Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.
~/.sshSuspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.
Technical details
Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.
raw.githubusercontentFinding Summary
0
Critical
11
High
1
Medium
0
Low
0
Info