Scan your MCP server before someone else does.
Security researchers keep disclosing CVEs against Model Context Protocol implementations across the Python, TypeScript, Java, and Rust SDK ecosystems, and the published failure modes cluster into eight recurring shapes:
- Tool description injection (untrusted input interpolated into tool descriptions or schemas that the LLM reads as instructions).
- Tool poisoning (caller-controlled paths to file systems, URLs, or environment variables without an allowlist).
- Rug pull risk (tool descriptions that change per request based on mutable state).
- Sensitive sinks inside tool handler bodies (subprocess, eval, raw SQL, network calls).
- Manifest vs handler mismatch (
tools/listadvertises a tool whose handler signature does not match the schema). - Unbounded resource access (overbroad filesystem root, unrestricted URL fetch).
- Prompt data leakage (text returned to the LLM contains secrets, PII, or environment values).
- Auth bypass on sensitive tools (sensitive tool definition has no auth check at handler entry).
vulkro scan-mcp-server catches all eight, offline, before you
publish.
Where this sits in the lifecycle
If you are writing an MCP server, it is code like any other code, and it rides Vulkro's pre-deploy spine: scan it as you write it (the same session that generates it can call the scanner over MCP), gate it pre-commit, and gate it again in CI before you publish to a marketplace. The paid Vulkro engine owns the source-code and host-config scanning on this page; the free Vulkro Labs tools own the live-manifest side.
What the subcommand does
vulkro scan-mcp-server path/to/your/mcp-server
It walks the source tree, identifies Python (mcp.server /
FastMCP) and TypeScript (@modelcontextprotocol/sdk) MCP server
shapes, and runs eight detectors against each tool handler.
Output is the standard Vulkro table / JSON / SARIF / NDJSON
shapes so it slots into the same CI pipeline as everything else
you scan. Exit codes follow the standard contract: 0 if clean, 1
if findings, 2 if error.
The detector pack ships at stable rule IDs MCP-SERVER-001
through MCP-SERVER-008 so you can suppress or tune them in
.vulkroignore the same way you would any other Vulkro rule. The
full rule documentation covers
trigger conditions, evidence requirements, and the positive plus
negative fixture corpus that drives the regression tests: every
one of the eight rules is pinned by fixtures that must keep
triggering and fixtures that must stay silent.
Three things Vulkro is not
To make the scope clear:
vulkro mcp-auditscans MCP host configurations (Claude Desktop, Cursor, Windsurf, VS Code, Cline, Continue, Gemini). It checks unpinnednpx/uvx, mutable git refs, overbroad fs roots, env-var secrets, cleartext endpoints, and the compromised-release catalog. Different surface entirely.vulkro mcp servemakes Vulkro itself behave as an MCP server. Claude Code, Cursor, Windsurf, and any other MCP client can call Vulkro to scan files and projects directly from the editor.vulkro scan-mcp-serveris the piece this page is about: it scans MCP server source code (the code you are writing).
The three surfaces compose: Claude Code can call Vulkro via MCP to scan the MCP server source you are building, before you publish it to a marketplace.
Free Vulkro Labs tools for the live MCP and agent surface
The three surfaces above scan MCP server source code and host
configurations. The free, open-source Vulkro Labs tools
(vulkro-live) cover the running MCP and agent surface directly:
vulkro-live wardenscans an MCP server's tool manifest (atools/listresult) for prompt-injection and tool-poisoning shapes, so you can check a server you are about to connect to rather than only the source you wrote.vulkro-live inspectgives a GREEN / REVIEW / AVOID verdict on an MCP server before you add it to a client: a quick go / no-go read on the backing package.vulkro-live lock/driftfingerprint a tool manifest and diff it later, so a rug pull shows up as a field-level diff.- A built-in
vulkro-live mcpserver exposesverifyandwardenas MCP tools, so your assistant can run those checks itself.
Install:
curl -fsSL https://dist.vulkro.com/install-live.sh | bash
vulkro-live is the open-source Labs line. The vulkro engine
itself stays closed and licensed.
The architectural distinction
Most MCP security scanners are hosted SaaS or rely on cloud LLM evaluation. Vulkro runs entirely on your machine with no model call: deterministic detectors, the same verdict on every run. The detector implementation is closed-source so its rule signatures cannot be trivially reverse-engineered by an attacker writing a deliberately detector-evading MCP server; the benchmark harness is public so a buyer can audit the claim that the detection works.
If your MCP server holds proprietary tool implementations, credentials, or customer data shapes, you probably do not want to upload it to a SaaS analyzer or send it through a cloud model. Vulkro does neither.
Get started
The scanner is in the free tier. No license required, no account, nothing to sign up for.
# macOS / Linux
curl -fsSL https://dist.vulkro.com/install.sh | bash
# Then, on your MCP server source tree
vulkro scan-mcp-server .
Wire --fail-on critical,high into CI to make the eight classes
a publish gate rather than a report.
Use Vulkro as an MCP tool inside Claude Code or Cursor
Vulkro can also run as an MCP server itself, so Claude Code or Cursor can call it on every diff:
{
"mcpServers": {
"vulkro": {
"command": "vulkro",
"args": ["mcp", "serve"]
}
}
}
That gives your AI coding assistant the scan_project,
scan_file, explain, list_rules, and get_findings tools.
When you are writing an MCP server, the same Claude Code session
can scan the file it just generated for the same eight detector
classes before you commit. See
the mcp serve docs for the full setup.
There is also vulkro guard, which checks every
file the assistant writes whether it asks or not.
The market is moving fast
The MCP ecosystem is at the same stage npm was around 2018: the spec is established, the marketplaces are growing, and the adversaries are catching up faster than the tooling. Catching your MCP server's tool description injection or manifest drift before you publish it is the cheap version of fixing it; finding out from a CVE filing is the expensive version.
Read the scan-mcp-server docs for the full rule reference and the fixture corpus, or just run it now:
vulkro scan-mcp-server .