MCP Ecosystem Scanner
16 detection rules for MCP (Model Context Protocol) servers, mapped to the OWASP MCP Top 10 and Adversa AI MCP Security Top 25.
New: waingro mcp commands
# Scan a single MCP server
waingro mcp scan ./mcp-server-github/
# Discover servers from npm, GitHub, and awesome lists
waingro mcp discover --awesome awesome-mcp-servers/README.md -o manifest.json
# Batch scan from discovery manifest
waingro mcp batch manifest.json --results results.json --cleanup16 MCP Detection Rules
| Rule | What it catches |
|---|---|
| MCP-001 | Tool description prompt injection |
| MCP-002 | Parameter schema injection |
| MCP-003 | Obfuscated tool handler code |
| MCP-004 | Remote code fetch in handlers |
| MCP-005 | Credential file/env access |
| MCP-006 | Sensitive file access |
| MCP-007 | MCP client config manipulation |
| MCP-008 | Transport exfiltration (tunnels, reverse shells) |
| MCP-009 | Rug pull indicators (lifecycle hooks) |
| MCP-010 | Scope escalation |
| MCP-011 | Missing authentication |
| MCP-012 | Path traversal patterns |
| MCP-013 | Tool name spoofing / homoglyphs |
| MCP-014 | Unsafe network binding (NeighborJack) |
| MCP-015 | Resource content poisoning surface |
| MCP-016 | Package name typosquatting |
Validated at Scale
Scanned 1,139 MCP servers from npm, GitHub, and awesome-mcp-servers. Results forthcoming in research paper.
Existing OpenClaw rules unchanged
All 30 OpenClaw skill detection rules carry forward. 247 tests passing.