1 in 4 MCP servers has security issues. Find out in seconds.
Scan NowPaste an npm package name or GitHub URL. We'll download it, scan it, and show you the results.
32 rules across 8 categories, tuned for the MCP ecosystem.
eval(), new Function(), and dynamic code execution that can run arbitrary payloads.
Bulk reads of process.env and transmission of environment variables over the network.
Reads of SSH keys, cloud credentials, browser profiles, crypto wallets, and .env files.
Connections to Telegram bots, Discord webhooks, paste sites, and hardcoded IPs.
Shell commands built with string interpolation — classic command injection.
Hidden instructions in descriptions that override your AI agent's behavior.
Base64/hex decoding at runtime, hidden Unicode, and obfuscated JavaScript.
API keys, private keys, tokens, and crypto wallet addresses embedded in code.
We scanned 3,093 MCP servers from npm and the official registry. 28% had security findings. 176 scored zero. Read the full analysis.
I Scanned 3,093 MCP Servers. Here's What I Found.