Skip to main content

Scan your MCP server before someone else does.

Security researchers keep disclosing CVEs against Model Context Protocol implementations across the Python, TypeScript, Java, and Rust SDK ecosystems, and the published failure modes cluster into eight recurring shapes:

  1. Tool description injection (untrusted input interpolated into tool descriptions or schemas that the LLM reads as instructions).
  2. Tool poisoning (caller-controlled paths to file systems, URLs, or environment variables without an allowlist).
  3. Rug pull risk (tool descriptions that change per request based on mutable state).
  4. Sensitive sinks inside tool handler bodies (subprocess, eval, raw SQL, network calls).
  5. Manifest vs handler mismatch (tools/list advertises a tool whose handler signature does not match the schema).
  6. Unbounded resource access (overbroad filesystem root, unrestricted URL fetch).
  7. Prompt data leakage (text returned to the LLM contains secrets, PII, or environment values).
  8. Auth bypass on sensitive tools (sensitive tool definition has no auth check at handler entry).

vulkro scan-mcp-server catches all eight, offline, before you publish.

Where this sits in the lifecycle

If you are writing an MCP server, it is code like any other code, and it rides Vulkro's pre-deploy spine: scan it as you write it (the same session that generates it can call the scanner over MCP), gate it pre-commit, and gate it again in CI before you publish to a marketplace. The paid Vulkro engine owns the source-code and host-config scanning on this page; the free Vulkro Labs tools own the live-manifest side.

What the subcommand does

vulkro scan-mcp-server path/to/your/mcp-server

It walks the source tree, identifies Python (mcp.server / FastMCP) and TypeScript (@modelcontextprotocol/sdk) MCP server shapes, and runs eight detectors against each tool handler. Output is the standard Vulkro table / JSON / SARIF / NDJSON shapes so it slots into the same CI pipeline as everything else you scan. Exit codes follow the standard contract: 0 if clean, 1 if findings, 2 if error.

The detector pack ships at stable rule IDs MCP-SERVER-001 through MCP-SERVER-008 so you can suppress or tune them in .vulkroignore the same way you would any other Vulkro rule. The full rule documentation covers trigger conditions, evidence requirements, and the positive plus negative fixture corpus that drives the regression tests: every one of the eight rules is pinned by fixtures that must keep triggering and fixtures that must stay silent.

Three things Vulkro is not

To make the scope clear:

  1. vulkro mcp-audit scans MCP host configurations (Claude Desktop, Cursor, Windsurf, VS Code, Cline, Continue, Gemini). It checks unpinned npx/uvx, mutable git refs, overbroad fs roots, env-var secrets, cleartext endpoints, and the compromised-release catalog. Different surface entirely.
  2. vulkro mcp serve makes Vulkro itself behave as an MCP server. Claude Code, Cursor, Windsurf, and any other MCP client can call Vulkro to scan files and projects directly from the editor.
  3. vulkro scan-mcp-server is the piece this page is about: it scans MCP server source code (the code you are writing).

The three surfaces compose: Claude Code can call Vulkro via MCP to scan the MCP server source you are building, before you publish it to a marketplace.

Free Vulkro Labs tools for the live MCP and agent surface

The three surfaces above scan MCP server source code and host configurations. The free, open-source Vulkro Labs tools (vulkro-live) cover the running MCP and agent surface directly:

  • vulkro-live warden scans an MCP server's tool manifest (a tools/list result) for prompt-injection and tool-poisoning shapes, so you can check a server you are about to connect to rather than only the source you wrote.
  • vulkro-live inspect gives a GREEN / REVIEW / AVOID verdict on an MCP server before you add it to a client: a quick go / no-go read on the backing package.
  • vulkro-live lock / drift fingerprint a tool manifest and diff it later, so a rug pull shows up as a field-level diff.
  • A built-in vulkro-live mcp server exposes verify and warden as MCP tools, so your assistant can run those checks itself.

Install:

curl -fsSL https://dist.vulkro.com/install-live.sh | bash

vulkro-live is the open-source Labs line. The vulkro engine itself stays closed and licensed.

The architectural distinction

Most MCP security scanners are hosted SaaS or rely on cloud LLM evaluation. Vulkro runs entirely on your machine with no model call: deterministic detectors, the same verdict on every run. The detector implementation is closed-source so its rule signatures cannot be trivially reverse-engineered by an attacker writing a deliberately detector-evading MCP server; the benchmark harness is public so a buyer can audit the claim that the detection works.

If your MCP server holds proprietary tool implementations, credentials, or customer data shapes, you probably do not want to upload it to a SaaS analyzer or send it through a cloud model. Vulkro does neither.

Get started

The scanner is in the free tier. No license required, no account, nothing to sign up for.

# macOS / Linux
curl -fsSL https://dist.vulkro.com/install.sh | bash

# Then, on your MCP server source tree
vulkro scan-mcp-server .

Wire --fail-on critical,high into CI to make the eight classes a publish gate rather than a report.

Use Vulkro as an MCP tool inside Claude Code or Cursor

Vulkro can also run as an MCP server itself, so Claude Code or Cursor can call it on every diff:

{
"mcpServers": {
"vulkro": {
"command": "vulkro",
"args": ["mcp", "serve"]
}
}
}

That gives your AI coding assistant the scan_project, scan_file, explain, list_rules, and get_findings tools. When you are writing an MCP server, the same Claude Code session can scan the file it just generated for the same eight detector classes before you commit. See the mcp serve docs for the full setup. There is also vulkro guard, which checks every file the assistant writes whether it asks or not.

The market is moving fast

The MCP ecosystem is at the same stage npm was around 2018: the spec is established, the marketplaces are growing, and the adversaries are catching up faster than the tooling. Catching your MCP server's tool description injection or manifest drift before you publish it is the cheap version of fixing it; finding out from a CVE filing is the expensive version.

Read the scan-mcp-server docs for the full rule reference and the fixture corpus, or just run it now:

vulkro scan-mcp-server .