Scans Model Context Protocol (MCP) server configurations for common security issues: overprivileged tools, missing auth, prompt injection surface, and unsafe defaults.
Audit MCP server configurations and endpoints for the most common AI security mistakes — overprivileged tools, missing authentication, prompt injection attack surface, and insecure transport defaults. Integrates into CI/CD as a gate or run on-demand via CLI.
npm install -g @hailbytes/mcp-security-scanner
# or use directly via npx
npx @hailbytes/mcp-security-scanner ./mcp-config.json# Scan a local config file
npx @hailbytes/mcp-security-scanner ./mcp-config.json
# Scan a running MCP server endpoint
npx @hailbytes/mcp-security-scanner https://my-mcp-server.example.com
# Output SARIF for GitHub Code Scanning + fail on findings
npx @hailbytes/mcp-security-scanner ./config.json --output=sarif --exit-codeimport { scan } from "@hailbytes/mcp-security-scanner";
const report = await scan({ configPath: "./mcp-config.json" });
console.log(report.findings); // Finding[] — individual security issues
console.log(report.score); // 0–100 risk score (lower = riskier)
console.log(report.passed); // boolean — use as CI gate- Overprivileged tools — tools granted broader permissions than their declared function requires
- Missing or weak authentication — unauthenticated transports, missing token validation
- Prompt injection surface — tool descriptions or output paths susceptible to injection
- Unsafe defaults — insecure transport defaults, verbose error exposure, CORS wildcards
@hailbytes/mcp-server-template— production-ready MCP server scaffold with auth built-in- HailBytes MCP documentation
Part of the HailBytes open-source security toolkit.