Your AI tools connect to MCP servers — but who checks if those servers are secure? Project Shield is a CLI that grades your MCP setup in one command: `npx project-shield scan` It catches prompt injection in tool descriptions, missing auth in MCP configs, leaked API keys (regex + entropy + context), and PII exposure. You get an A–F security grade, fix-it guides for every finding, and a deploy lock on F grade. No signup. No dashboard. Just run it. Free (5 scans/month) · Pro for teams.

Hey PH! I'm Jin — solo dev behind Clouvel and now Project Shield. I built Clouvel to help devs design before coding (PRD-first workflow for AI coders). But I kept seeing the same thing: even well-designed projects ship with hardcoded API keys, open MCP configs, and prompt injection sitting in tool descriptions. The AI writes fast, but nobody grades the output. So I built Shield. One command, 2 minutes, A–F grade. There are other MCP security tools out there — web dashboards, enterprise platforms, runtime proxies. Shield is different: it's a CLI you run before you push. No account, no setup. Just npx project-shield scan . What I'd love feedback on: - What should Shield scan next? - Would you use this in CI/CD? Try it: npx project-shield scan .

Project Shield

One command to security-grade your MCP server

One command to security-grade your MCP server