🔍

mcpwn

Security scanner for MCP servers.
Find vulnerabilities before attackers do.

pip install mcpwn

AGPL-3.0 10 Security Checks Python 3.11+ JSON Reports

What It Does

mcpwn scans MCP servers for security vulnerabilities before they go into production. Think of it as nuclei for MCP. Connect to any MCP server via stdio or SSE, run 10 automated security checks, and get a detailed report.

Security Checks

MCP-001Tool Poisoning Detection

MCP-002Prompt Injection in Tool Descriptions

MCP-003Excessive Permission Scope

MCP-004Data Exfiltration Vectors

MCP-005SSRF via URL Parameters

MCP-006Path Traversal

MCP-007Command Injection

MCP-008Sensitive Data Exposure

MCP-009Schema Validation Bypass

MCP-010Resource Exhaustion

Quick Start

# Install
pip install mcpwn

# Scan an MCP server via stdio
mcpwn scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"

# Scan via SSE
mcpwn scan --sse "http://localhost:8080/sse"

# JSON output for CI/CD
mcpwn scan --stdio "python my_server.py" --format json --output report.json

# Fail build on critical findings
mcpwn check --input report.json --fail-on critical

🛡️ Companion: mcp-firewall

Runtime security firewall for AI agents. 12-stage pipeline, policy engine, compliance reports.
Scan with mcpwn, protect with mcp-firewall.

Learn more pip install mcp-firewall

⭐ GitHub 📦 PyPI