Is io.github.bawbel/bawbel-scanner safe to use?

io.github.bawbel/bawbel-scanner has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.bawbel/bawbel-scanner?

io.github.bawbel/bawbel-scanner can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with io.github.bawbel/bawbel-scanner?

io.github.bawbel/bawbel-scanner is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.

Is io.github.bawbel/bawbel-scanner actively maintained?

io.github.bawbel/bawbel-scanner is actively maintained — last commit was 1 day ago. It has 5 GitHub stars.

io.github.bawbel/bawbel-scanner

Security scanner for MCP servers and skill files. Detects AVE vulnerabilities before production.

5 0 tools GitHub

No known CVEs

No license

Actively maintained

Last commit 1d ago

Works with most clients

Transport: stdio

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-bawbel-bawbel-scanner": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-bawbel-bawbel-scanner)](https://mcppedia.org/s/io-github-bawbel-bawbel-scanner)

Read me

What io.github.bawbel/bawbel-scanner does

Security scanner for MCP servers and skill files. Detects AVE vulnerabilities before production.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

34/100across 5 weighted dimensions

How we score →

0255075100

−66

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.bawbel/bawbel-scanner safe to use?: io.github.bawbel/bawbel-scanner has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.bawbel/bawbel-scanner?: io.github.bawbel/bawbel-scanner can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with io.github.bawbel/bawbel-scanner?: io.github.bawbel/bawbel-scanner is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
Is io.github.bawbel/bawbel-scanner actively maintained?: io.github.bawbel/bawbel-scanner is actively maintained — last commit was 1 day ago. It has 5 GitHub stars.

Similar servers

Others in security

View all →

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

8.7k 3

Evil Mcp Server91

An evil MCP server used for redteam testing

30 1

Atomic Red Team Mcp90

MCP server for Atomic Red Team

123 5

io.github.peacprotocol/peac90

Signed receipts for agent, API, and MCP interactions. Portable and offline-verifiable.

11 5

MCP Security Weekly

Get CVE alerts and security updates for io.github.bawbel/bawbel-scanner and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-bawbel-bawbel-scanner": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-bawbel-bawbel-scanner)](https://mcppedia.org/s/io-github-bawbel-bawbel-scanner)

Read me

What io.github.bawbel/bawbel-scanner does

Security scanner for MCP servers and skill files. Detects AVE vulnerabilities before production.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

README

Bawbel Scanner

The only open-source scanner that produces OWASP AIVSS scores for MCP servers and skill files. Never executes code.

Bawbel never executes your MCP servers. Snyk's agent-scan does.

pip install "bawbel-scanner[all]"
bawbel scan ./skills/        # scan skill files
bawbel ssc https://server    # scan MCP server without starting it

Why Bawbel

	Bawbel	Snyk agent-scan	ClawGuard	Cisco DefenseClaw
Executes MCP servers during scan	Never	Yes	No	Sandboxed
Open vulnerability database	Yes (48 records, public API)	No	No	No
OWASP AIVSS v0.8 scores	Yes	No	No	No
Toxic flow detection	Yes (12 chains)	No	No	No
Conformance grading (A+ to F)	Yes	No	No	No
Git-committed rug pull detection	Yes	Local only	No	No
Justified suppression with expiry	Yes	No	No	No
License	Apache 2.0	Apache 2.0	MIT	Proprietary

How it works

System overview

How a scan flows from your file to an AIVSS-scored finding:

  your file
      |
      v
  [ Pre-processing ]
    code fence stripping
    negation context detection
      |
      v
  [ Detection engines ]  (run in parallel)
    1a  Pattern    40 regex rules, stdlib only, always on
    1b  YARA       39 binary/behavioral rules
    1c  Semgrep    41 structural rules
    2   LLM        semantic analysis via LiteLLM
    3   Sandbox    Docker behavioral sandbox
      |
      v
  [ Deduplication ]
    merge by (ave_id, line)
    pattern > yara > semgrep > llm > sandbox priority
      |
      v
  [ Toxic flow analysis ]
    map findings to capability tags
    check all pairs against 12 chain definitions
      |
      v
  [ ScanResult ]
    findings[]          active findings, sorted by severity
    suppressed_findings[]
    accepted_findings[] new in v1.2.0
    toxic_flows[]
    risk_score          max(findings, toxic_flows)
    aivss_score         OWASP AIVSS v0.8

Detection stages

Six engines run in parallel. Results merge before toxic flow analysis:

  Stage 1a   Pattern engine
             40 regex rules, no deps, < 5ms
             always active

  Stage 1b   YARA engine
             39 rules, multi-condition matching
             pip install "bawbel-scanner[yara]"

  Stage 1c   Semgrep engine
             41 structural rules, multi-line context
             pip install "bawbel-scanner[semgrep]"

  Stage 2    LLM engine
             semantic analysis, catches synonym attacks
             pip install "bawbel-scanner[llm]" + API key

  Stage 3    Sandbox engine
             dynamic behavioral analysis in Docker
             BAWBEL_SANDBOX_ENABLED=true

             +-----------+
  All  ----> | dedup     |

... [View full README on GitHub](https://github.com/bawbel/bawbel-scanner#readme)

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

34/100across 5 weighted dimensions

How we score →

0255075100

−66

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.bawbel/bawbel-scanner safe to use?: io.github.bawbel/bawbel-scanner has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.bawbel/bawbel-scanner?: io.github.bawbel/bawbel-scanner can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with io.github.bawbel/bawbel-scanner?: io.github.bawbel/bawbel-scanner is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
Is io.github.bawbel/bawbel-scanner actively maintained?: io.github.bawbel/bawbel-scanner is actively maintained — last commit was 1 day ago. It has 5 GitHub stars.