Featured
Launch your own AI agent in one click
Sponsored placement
SetupClaw: done-for-you OpenClaw for founders & exec teams
Sponsored
One API to scrape, enrich, and extract the internet.
Sponsored placement
CLN.Work — Stop prompting, start hiring AI employees
Limited-time offer
Keep your OpenClaw agent online 24/7
Featured
Launch your AI product and start charging today
Free tool
MCP Server Security Scanner
Paste an .mcp.json config or a SKILL.md and get an instant risk report. It flags curl-to-bash installs, hardcoded secrets, over-broad permissions, and more, entirely in your browser.
Scanned entirely in your browser. Nothing is uploaded.
Why scan an MCP server config before you install it
Model Context Protocol servers run on your machine with your permissions. A single line in an .mcp.json can download and execute a remote script, grant a server read access to your home directory, or ship a live API key inside a file you are about to commit to git. The same risks apply to skills: a SKILL.md tells an agent what to do, and a malicious or careless one can instruct that agent to run destructive commands. This scanner reads the file locally and flags the patterns that most often turn into incidents, so you can review before you trust.
What the scanner checks
- Remote code execution from
curl ... | bashor piping any download into a shell. - Hardcoded secrets such as API keys, tokens, and cloud credentials embedded in
envor arguments. - Broad filesystem access to root, home, or system paths instead of a scoped project directory.
- Unpinned installs like
npx -yof a package with no version pin or unknown publisher. - Raw shell entrypoints, non-obvious network egress, and skills that request execute access they do not obviously need.
- Missing provenance like an absent license or source link on a shared skill.
Frequently asked questions
Does my config get uploaded anywhere?
No. All parsing and pattern matching happens in your browser with JavaScript. Nothing is sent to a server, logged, or stored. You can even disconnect from the network and the scan still works.
Does a passing grade mean the server is safe?
No. This is a heuristic scanner. It catches common dangerous patterns, but it cannot prove a server is safe, and it does not read the actual source of the package a config points to. Treat a clean result as a green light to keep reviewing, not a guarantee.
What files can I paste?
Either a JSON MCP config (the block you would put in an .mcp.json or a client config) or a SKILL.md file. The scanner detects which one you pasted and applies the relevant checks automatically.
How is the risk grade calculated?
Every file starts at 100. Critical findings subtract the most, warnings less, and informational notes a little. The remaining score maps to a letter grade from A to F so you get a quick read before diving into the detail.
Where can I learn to harden my setup?
Browse vetted servers in the MCP directory and follow the step-by-step guide in Securing Your MCP Server Connections.



