MCP Server Auditor
Paste your MCP server's package.json or source code and get an instant security risk analysis. Detect dangerous patterns before they reach production.
Get the CLI Tool
Run the MCP auditor locally as an MCP server, or try it online below.
npx @clinetools/mcp-auditor
- Security vulnerability detection for MCP servers
- Risk scoring 0–100 with grades A+ through C
- File, network, exec, and env pattern detection
- Permission scope analysis
- Zero config — just run with npx
How to Use It
Three ways to audit MCP server security — pick the one that fits your workflow.
Try Online
Use the interactive demo below to paste code or config and get an instant security analysis — no install needed.
Use via CLI
Run as a local MCP server and connect any MCP-compatible client.
Add to Cline / Claude Code
Add the tool to your MCP settings for instant access from your AI assistant.
MCP Client Configuration
{
"mcpServers": {
"mcp-auditor": {
"command": "npx",
"args": ["@clinetools/mcp-auditor"]
}
}
}
Example: audit_mcp_server — safe server (all pass)
// Call the tool with server code:
audit_mcp_server({ code: "module.exports = { tools: [{ name: 'get_weather' ... }] }" })
// Output:
{
"risk_score": 0,
"grade": "A+",
"title": "Excellent",
"checks": [
{ "name": "File System Access", "status": "pass", "detail": "No file system operations detected." },
{ "name": "Network Calls", "status": "pass", "detail": "No outbound network calls detected." },
{ "name": "Code Execution", "status": "pass", "detail": "No eval(), exec(), or spawn() detected." },
{ "name": "Environment Access", "status": "pass", "detail": "No environment variable access detected." },
{ "name": "Dependency Count", "status": "pass", "detail": "No dependencies listed." },
{ "name": "Permission Scope", "status": "pass", "detail": "Touches 0/5 risk categories." }
]
}
Example: audit_mcp_server — risky server (fails & warnings)
// Call with risky server code:
audit_mcp_server({ code: "const { exec } = require('child_process'); ..." })
// Output:
{
"risk_score": 73,
"grade": "C",
"title": "High Risk",
"checks": [
{ "name": "File System Access", "status": "warn", "detail": "Detected 2 file system operations: fs., readFileSync." },
{ "name": "Network Calls", "status": "pass", "detail": "No outbound network calls detected." },
{ "name": "Code Execution", "status": "fail", "detail": "CRITICAL: Detected 2 patterns: exec(, eval(." },
{ "name": "Environment Access", "status": "pass", "detail": "No environment variable access detected." },
{ "name": "Dependency Count", "status": "pass", "detail": "No dependencies listed." },
{ "name": "Permission Scope", "status": "warn", "detail": "Touches 2/5 risk categories." }
]
}
Try It Online
Paste your MCP server code or package.json and get an instant security analysis.
Paste Code or Config
Supports package.json, JavaScript, or TypeScript source code
Paste code or a package.json and click Analyze Security to see results.
Excellent
No significant risks detected
What the Auditor Checks For
Our scanner looks for common risk patterns in MCP server implementations to help you understand your attack surface.
File System Access
Detects usage of fs module, readFile, writeFile, and path manipulation that could allow unauthorized file access or data exfiltration.
Network Calls
Identifies outbound HTTP requests via fetch, axios, http module, or request libraries that could leak data to external servers.
Code Execution
Flags dangerous patterns like eval(), exec(), spawn(), and Function() constructor that enable arbitrary code execution.
Environment Access
Detects process.env usage that could expose API keys, tokens, database credentials, and other sensitive configuration values.
Dependency Count
Analyzes package.json dependencies and counts third-party modules. More dependencies means a larger supply chain attack surface.
Permission Scope
Evaluates the overall permission footprint of the server to determine if it requests more access than necessary for its stated purpose.
Want a Full Security Review?
Submit your MCP server for a comprehensive 4-phase security audit by our team of experts.
Submit for Review