mcp-security-scanner
MCP Security Scanner Skill
This skill enables agents to audit MCP servers for security issues. Use when user wants to scan for unprotected MCP endpoints.
When to Use
- User asks to "scan for MCP servers"
- User wants to "audit MCP security"
- User asks to "check if MCP servers are protected"
- User mentions "unprotected" or "exposed" MCP servers
Prerequisites
Package Dependency
Uses @contextware/mcp-scan npm package.
Installation:
npm install -g @contextware/mcp-scan
Or run directly:
npx @contextware/mcp-scan <command>
Runtime
- Node.js 18+
- Network access (for network scanning)
- Read access to config directories
Workflow
Phase 1: Assess Request
Clarify:
- What to scan - localhost, local network, or specific targets?
- Scope - network scan, config scan, or both?
- Purpose - security audit, troubleshooting, or general discovery?
- Very important - do not go into a loop calling this scanning tool. Never. And explain to the user that its not recommended to do scanning in a never ending loop.
Phase 2: Execute Scans
Network Scan:
mcp-scan network <target>
Targets: localhost, local, CIDR (e.g., 192.168.1.0/24), or IP/domain
Options: -p , -t , --https
Config Scan:
mcp-scan configs
Checks: Claude Desktop, Cursor, Continue.dev, Windsurf, Zed configs
Full Scan:
mcp-scan all <target>
Phase 3: Present Results
- List servers with host, port, type, auth status
- Flag unprotected servers (requiresAuth: false)
- Provide remediation recommendations
Phase 4: Safety Review
Verify permission: Only scan networks you own or have explicit authorization.
Decline requests to scan unknown targets. Offer to scan owned systems instead.
Safety Guidelines
What This Tool Does:
- Sends HTTP requests to detect MCP endpoints
- Reads local config files
- Reports authentication status
- Read-only (no modifications)
What This Tool Does NOT Do:
- Does not modify any files
- Does not execute commands from configs
- Does not send data to external servers
- Does not exploit vulnerabilities
Troubleshooting
"mcp-scan: command not found" -> Install: npm install -g @contextware/mcp-scan
"No servers found" but one is running -> Try custom ports: -p 8080,9000 -> Or use --https flag
Scan times out -> Increase timeout: -t 5000
References
- Package: https://npmjs.com/package/@contextware/mcp-scan
- Source: https://github.com/contextware/mcp-scan
- MCP Protocol: https://modelcontextprotocol.io
More from contextware/skills
connect-to-nango-mcp
Connect agents to external platforms (HubSpot, Salesforce, etc.) via Nango using header authentication.
5hubspot-whoami-nango
Find out who you are in HubSpot using Nango.
4incident-management
>-
4mcp-server-oauth
Handles OAuth authentication flows for protected MCP servers that require user authorization.
3hubspot-task-manager
>-
3service-qualification-check
Checks if a specific service is available at a given address.
3