EN TR Recruiter View
← All writeups
2026-07 · 4 min read

I built a security scanner for MCP servers

MCPsecuritySARIF

The Model Context Protocol took off fast. Everyone's plugging MCP servers into their agents, and most people run them the way you'd run any npm package: npx, trust, move on.

Here's the part that bothers me. Your agent doesn't just call an MCP server's tools. It reads their descriptions, and those descriptions go straight into the model's context. A malicious server can hide instructions in a tool description that your agent will happily follow. There's also the "rug pull" move: a server behaves fine when you install it, then quietly changes its tool schema later. Traditional security tooling doesn't look at any of this. It scans code and dependencies, not the words an MCP server feeds your model.

A 2025 study of 1,899 MCP servers found roughly 7% had general vulnerabilities and over 5% showed MCP-specific tool poisoning (arXiv:2506.13538). Those aren't rounding errors when the thing you're scanning has a direct line to your agent.

What it checks

You point MCPRadar at a server and it enumerates the tools, prompts, and resources, then runs each one through detection rules: zero-width Unicode hidden in names, prompt-injection patterns, encoded blobs, hidden HTML, permission scope that doesn't match what the tool claims to do, dangerous tool names. It stores a snapshot in SQLite, so the next scan diffs against the last one and tells you when a server changed its schema behind your back.

One command, nothing to install:

uvx mcpradar scan "npx -y @modelcontextprotocol/server-filesystem /tmp" -t stdio

Output goes to SARIF too, which means it drops straight into your GitHub Security tab through a normal Action. If you're already running CI, this is a two-line addition.

What it is not

I want to be honest here. MCPRadar is a pattern detector, not an exploit engine. It doesn't run the server's code or prove a finding is exploitable. It'll flag pip install in a setup string and sometimes that's completely fine. Static analysis catches a class of problems; it won't catch everything, and I've documented where it gets things wrong rather than pretend it's perfect.

It's on PyPI, MIT licensed. There's a public leaderboard scoring popular MCP servers at yatuk.github.io/mcpradar, and the code is at github.com/yatuk/mcpradar. If you find a false positive, open an issue — that's how the rules get better.