aicoolies logo
MCP-Scan logo

MCP-Scan

Security scanner for MCP servers against tool poisoning attacks

Share
open-sourceOpen Source
Visit Website →

MCP-Scan is a security tool that scans MCP servers for vulnerabilities including tool poisoning, prompt injection, cross-origin escalation, and rug pull attacks. Acquired by Snyk in 2026, it is the first dedicated security scanner for the MCP ecosystem. It analyzes tool descriptions, permissions, and behavior patterns to detect malicious or compromised MCP servers before they can exploit AI agents.

As the MCP ecosystem scales to thousands of community-built servers, the attack surface for AI agents has expanded dramatically. MCP-Scan addresses this emerging threat by providing automated security analysis specifically designed for Model Context Protocol servers. The tool inspects server manifests, tool descriptions, and runtime behavior to detect several classes of attacks: tool poisoning where malicious instructions are embedded in tool descriptions to manipulate LLM behavior, prompt injection through tool outputs, cross-origin escalation where one server's tools gain unauthorized access to another server's resources, and rug pull attacks where initially benign servers are later modified to include malicious functionality.

The scanning process examines both static properties and dynamic behavior of MCP servers. Static analysis checks tool descriptions for hidden instructions, excessive permission requests, and suspicious patterns that might indicate an attempt to influence agent behavior beyond the tool's stated purpose. Dynamic analysis monitors actual tool execution to detect discrepancies between declared and actual behavior, data exfiltration attempts, and unauthorized network access. The tool produces structured security reports with severity ratings and remediation recommendations that help development teams make informed decisions about which MCP servers to trust in their agent deployments.

Invariant Labs, the company behind MCP-Scan, was acquired by Snyk in April 2026, signaling that MCP security has become a mainstream concern for the developer security industry. The acquisition brings MCP vulnerability scanning into Snyk's broader application security platform, enabling organizations to include MCP server analysis in their existing security review workflows. As an Apache-2.0 licensed CLI tool, MCP-Scan can be integrated into CI/CD pipelines to automatically scan MCP server configurations before deployment, providing a security gate for the AI agent supply chain.

Pricing

Free CLI (Apache-2.0); Invariant Guardrails API paid

Platforms

CLI tool — any platform with Python

Categories

Tags

Use Cases

Alternatives

garak logo

garak

NVIDIA's LLM vulnerability scanner and red-teaming tool

garak is NVIDIA's open-source LLM vulnerability scanner for red-teaming AI models and applications. Probes for prompt injection, data leakage, hallucination, toxicity, encoding-based attacks, and dozens of other vulnerability categories. Runs automated attack sequences against any LLM endpoint and generates detailed vulnerability reports. Features a modular probe/detector architecture that is extensible with custom attack patterns. Named after the Star Trek character known for deception.

open-sourceOpen Source

NeMo Guardrails

Programmable safety rails for LLM applications

NeMo Guardrails is NVIDIA's open-source toolkit for adding programmable safety rails to LLM applications. It supports five guardrail types — input, dialog, retrieval, execution, and output rails — covering content safety, jailbreak detection, topic control, PII masking, hallucination detection, and fact-checking. The toolkit uses Colang, a domain-specific language for defining conversational constraints, and integrates with OpenAI, Azure, Anthropic, HuggingFace, and LangChain/LangGraph.

free
LLM Guard logo

LLM Guard

Input and output security scanners for LLM applications

LLM Guard is an open-source security toolkit by Protect AI that provides 15 input scanners and 20 output scanners to protect LLM applications from prompt injection, PII leakage, toxic content, secrets exposure, and data exfiltration. Each scanner is modular and independent — pick the ones you need, configure thresholds, and chain them into a pipeline. The library works with any LLM and has been downloaded over 2.5 million times. MIT licensed, Python 3.9+.

open-sourceOpen Source
Guardrails AI logo

Guardrails AI

Validate and structure LLM outputs with composable Guards

Guardrails AI is an open-source Python and JavaScript framework for validating and structuring LLM outputs using composable Guards built from a Hub of pre-built validators. It handles structured data extraction with Pydantic models, content safety checks including toxicity, PII detection, competitor mentions, and bias filtering, plus automatic re-prompting when validation fails. The Guardrails Hub offers dozens of validators from regex matching to hallucination detection via LLM judges.

free

Related Tools

Hermes Agent logo

Hermes Agent

Top Pick

Open-source AI agent framework with persistent memory, reusable skills, tools, and messaging gateways

Hermes Agent is an open-source AI agent framework with persistent memory, reusable skills, 40+ tools, cron jobs, and messaging gateways.

open-sourceOpen Source

Safari MCP Server

Apple's Safari-native MCP server for web debugging agents

Safari MCP Server is Apple's safaridriver-based MCP server in Safari Technology Preview, giving compatible coding agents local access to Safari page content, console logs, network requests, screenshots, JavaScript evaluation, interactions, viewport controls, and accessibility/performance checks.

freeTelemetry

Headroom

Context compression for LLM apps and coding agents

Headroom is an Apache-2.0 context compression layer for LLM apps and coding agents. It compresses tool output, logs, files, RAG chunks, and agent history through a local library, proxy, wrapper, or MCP server, with retrieval hooks for bringing originals back when needed. Treat its savings numbers as Headroom-reported benchmarks, not independent aicoolies measurements.

open-sourceOpen SourceTelemetry

Codebase Memory MCP

Codebase knowledge graph MCP server for AI coding agents

Codebase Memory MCP is an MIT-licensed MCP server that turns a repository into a persistent code knowledge graph for AI coding agents. It gives Claude Code, Cursor, Codex-style agents, and other MCP clients structural queries for functions, classes, call chains, routes, and architecture, helping them explore large projects without repeatedly rereading files or relying only on broad search.

open-sourceOpen SourceTelemetry
BeeAI Framework logo

BeeAI Framework

Python and TypeScript framework for production multi-agent systems

BeeAI Framework is an Apache-2.0 toolkit for building production-ready AI agents and multi-agent systems in Python and TypeScript. Its docs cover agents, tools, RAG, memory, workflows, backend providers, serving, and A2A/MCP integration surfaces, making it a vendor-neutral option for teams comparing LangGraph, CrewAI, Mastra, and related agent runtimes.

open-sourceOpen SourceTelemetry

Supabase MCP

MCP server for connecting AI assistants to Supabase projects

Supabase MCP is Supabase's Apache-2.0 server for connecting AI assistants to Supabase projects. It can expose database, configuration, and project-management workflows to MCP clients such as Cursor, Claude, and Windsurf, while the official docs emphasize permission and security review before production use, SQL changes, or high-privilege database access.

open-sourceOpen SourceTelemetry

Comparisons