MCP servers hand tools and prompts directly to LLM agents — most have never been audited. scan-my-mcp connects to any MCP server, enumerates everything it exposes, and runs 6 security checks: secret exposure, auth enforcement, dangerous permissions, input validation, prompt injection, and context-window cost. Every finding includes the exact location and a fix. Try it instantly at mcpscanner.yxsh.in or install CLI tool for local MCPs.

AppSignal — Track your app’s health, errors and performance with ease

Track your app’s health, errors and performance with ease

Hey PH! 👋 I built scan-my-mcp after realizing how little visibility anyone has into what MCP servers actually expose to their agents. Most servers get connected without a second thought — but they're handing tools, file access, and prompt templates directly to an LLM. One misconfigured server can leak credentials, accept prompt injection, or silently burn half your context window. scan-my-mcp does a real protocol handshake, enumerates everything the server exposes, and runs 6 static security checks — entirely read-only, no tool is ever called, no data leaves your machine. Try it at mcpscanner.yxsh.in or npx scan-my-mcp --url in the terminal. CLI tool supports local MCPs too. Would love to hear what MCP servers you're running and what checks you'd want added next!