MCP Watch 🔍

Created By

kapilduraphe6 months ago

A comprehensive security scanner for Model Context Protocol (MCP) servers that detects vulnerabilities and security issues in your MCP implementations.

# mcp

# security

Overview Content Tools Comments

Content

MCP Watch 🔍

A comprehensive security scanner for Model Context Protocol (MCP) servers that detects vulnerabilities and security issues in your MCP implementations.

Features

🔑 Credential Detection - Finds hardcoded API keys, tokens, and insecure credential storage
🧪 Tool Poisoning - Detects hidden malicious instructions in tool descriptions
🎯 Parameter Injection - Identifies magic parameters that extract sensitive AI context
💉 Prompt Injection - Scans for prompt manipulation and injection attacks
🔄 Tool Mutation - Detects dynamic tool changes and rug-pull risks
💬 Conversation Exfiltration - Finds triggers that steal conversation history
🎨 ANSI Injection - Detects steganographic attacks using escape sequences
📋 Protocol Violations - Identifies MCP protocol security violations
🛡️ Input Validation - Finds command injection, SSRF, and path traversal issues
🎭 Server Spoofing - Detects servers impersonating popular services
🌊 Toxic Flows - Identifies dangerous data flow patterns
🔐 Permission Issues - Finds excessive permissions and access control problems

Installation

Global Installation

npm install -g mcp-watch

Local Installation

npm install mcp-watch

From Source

git clone https://github.com/yourusername/mcp-watch.git
cd mcp-watch
npm install
npm run build

Usage

Command Line

# Scan a GitHub repository
mcp-watch scan https://github.com/user/mcp-server

# Scan with JSON output
mcp-watch scan https://github.com/user/mcp-server --format json

# Filter by severity
mcp-watch scan https://github.com/user/mcp-server --severity high

# Filter by category
mcp-watch scan https://github.com/user/mcp-server --category credential-leak

Note: If you don't want to download npm then just substitute mcp-watch with node dist/main.js.

Example: node dist/main.js scan https://github.com/user/repo

Options

--format <type> - Output format: console (default) or json
--severity <level> - Minimum severity: low, medium, high, critical
--category <cat> - Filter by vulnerability category

Example Output

🔍 Scanning repository: https://github.com/user/mcp-server
📊 Based on vulnerablemcp.info, HiddenLayer, Invariant Labs, and Trail of Bits research

🔑 Scanning for credential vulnerabilities...
🧪 Scanning for tool poisoning vulnerabilities...
🎯 Scanning for parameter injection vulnerabilities...
💉 Scanning for prompt injection vulnerabilities...

📊 MCP SECURITY SCAN RESULTS
===============================

📈 Summary by Severity:
  🚨 CRITICAL: 2
  ⚠️ HIGH: 1
  ⚡ MEDIUM: 3

🔍 Detailed Results:
--------------------

1. 🚨 Hardcoded credentials detected
   📋 ID: HARDCODED_CREDENTIALS
   🎯 Severity: CRITICAL
   📂 Category: credential-leak
   📍 Location: src/config.ts:15
   🔍 Evidence: const apiKey = "sk-***REDACTED***"

Development

Project Structure

mcp-watch/
├── main.ts                          # CLI entry point
├── types/
│   └── Vulnerability.ts             # Type definitions
├── scanner/
│   ├── MCPScanner.ts               # Main scanner orchestrator
│   ├── BaseScanner.ts              # Base scanner utilities
│   └── scanners/                   # Individual vulnerability scanners
│       ├── CredentialScanner.ts
│       ├── ParameterInjectionScanner.ts
│       └── ...
└── utils/
    └── reportFormatter.ts          # Report formatting

Development Scripts

# Build the project
npm run build

# Run in development mode
npm run dev scan https://github.com/user/repo

# Quick scan during development
npm run scan https://github.com/user/repo

# Clean build artifacts
npm run clean

Adding New Scanners

Create a new scanner in scanner/scanners/
Extend AbstractScanner
Implement the scan() method
Add to MCPScanner.ts

Example:

import { AbstractScanner } from "../BaseScanner";
import { Vulnerability } from "../../types/Vulnerability";

export class MyScanner extends AbstractScanner {
  async scan(projectPath: string): Promise<Vulnerability[]> {
    console.log("🔍 Scanning for my vulnerability type...");
    
    const vulnerabilities: Vulnerability[] = [];
    // Your scanning logic here
    
    return vulnerabilities;
  }
}

Security Research

This tool is based on security research from leading organizations in AI and cybersecurity, identifying novel attack vectors specific to MCP environments including:

Parameter injection attacks that extract sensitive AI context
Tool poisoning with hidden malicious instructions
Conversation exfiltration using trigger phrases
Steganographic attacks via ANSI escape sequences
Toxic agent flows across repository boundaries

Research Sources

VulnerableMCP Database (vulnerablemcp.info)
- Comprehensive database of MCP vulnerabilities
- Real-world attack patterns and examples
- Regular updates on new attack vectors
HiddenLayer Research (Exploiting MCP Tool Parameters)
- Parameter injection attacks that extract sensitive data
- Tool call history and conversation exfiltration
- System prompt extraction vulnerabilities
- Chain of thought manipulation
- Model name disclosure risks
Invariant Labs Research (GitHub MCP Vulnerability)
- Tool poisoning detection
- Toxic agent flows
- Cross-repository security issues
- Rug-pull updates in tool functionality
- Server spoofing prevention
Trail of Bits Research (MCP Security Research)
- Conversation exfiltration methods
- ANSI injection attacks
- Protocol-level vulnerabilities
- Insecure credential storage patterns
- Cross-server shadowing attacks
PromptHub Analysis (5 MCP Security Vulnerabilities)
- Command injection patterns (43% of public MCP servers affected)
- SSRF vulnerability statistics (30% allow arbitrary URL fetching)
- Path traversal attack vectors (22% leak files outside intended directories)
- Retrieval-Agent Deception (RADE) attacks
- Tool poisoning prevention strategies

Exit Codes

0 - No critical or high severity vulnerabilities found
1 - Critical or high severity vulnerabilities detected
1 - Scan error occurred

Contributing

Fork the repository
Create a feature branch
Run type checking with npm run type-check
Test your changes manually
Submit a pull request

License

MIT License - see LICENSE file for details.

Support

Create an issue for bug reports or feature requests
Check existing issues before creating new ones
Include scan output and repository details when reporting issues

⚠️ Security Notice: This tool identifies potential security issues but should not be the only security measure. Always perform manual security reviews and follow security best practices.

Recommend Servers

TraeBuild with Free GPT-4.1 & Claude 3.7. Fully MCP-Ready.

CursorThe AI Code Editor

DeepChatYour AI Partner on Desktop

Jina AI MCP ToolsA Model Context Protocol (MCP) server that integrates with Jina AI Search Foundation APIs.

Zhipu Web SearchZhipu Web Search MCP Server is a search engine specifically designed for large models. It integrates four search engines, allowing users to flexibly compare and switch between them. Building upon the web crawling and ranking capabilities of traditional search engines, it enhances intent recognition capabilities, returning results more suitable for large model processing (such as webpage titles, URLs, summaries, site names, site icons, etc.). This helps AI applications achieve "dynamic knowledge acquisition" and "precise scenario adaptation" capabilities.

AiimagemultistyleA Model Context Protocol (MCP) server for image generation and manipulation using fal.ai's Stable Diffusion model.

Amap Maps高德地图官方 MCP Server

Context7Context7 MCP Server -- Up-to-date code documentation for LLMs and AI code editors

Howtocook Mcp基于Anduin2017 / HowToCook （程序员在家做饭指南）的mcp server，帮你推荐菜谱、规划膳食，解决“今天吃什么“的世纪难题； Based on Anduin2017/HowToCook (Programmer's Guide to Cooking at Home), MCP Server helps you recommend recipes, plan meals, and solve the century old problem of "what to eat today"

Serper MCP ServerA Serper MCP Server

MCP AdvisorMCP Advisor & Installation - Use the right MCP server for your needs