MCP Watch 🔍

A comprehensive security scanner for Model Context Protocol (MCP) servers that detects vulnerabilities and security issues in your MCP implementations.

Features

• 🔑 Credential Detection - Finds hardcoded API keys, tokens, and insecure credential storage
• 🧪 Tool Poisoning - Detects hidden malicious instructions in tool descriptions
• 🎯 Parameter Injection - Identifies magic parameters that extract sensitive AI context
• 💉 Prompt Injection - Scans for prompt manipulation and injection attacks
• 🔄 Tool Mutation - Detects dynamic tool changes and rug-pull risks
• 💬 Conversation Exfiltration - Finds triggers that steal conversation history
• 🎨 ANSI Injection - Detects steganographic attacks using escape sequences
• 📋 Protocol Violations - Identifies MCP protocol security violations
• 🛡️ Input Validation - Finds command injection, SSRF, and path traversal issues
• 🎭 Server Spoofing - Detects servers impersonating popular services
• 🌊 Toxic Flows - Identifies dangerous data flow patterns
• 🔐 Permission Issues - Finds excessive permissions and access control problems

Quick Start 🚀

Option 1: NPM Package (Recommended)

# Install globally
npm install -g mcp-watch

# Scan any GitHub MCP repository
mcp-watch scan https://github.com/user/mcp-server

# Scan your local MCP project
mcp-watch scan-local /path/to/your/mcp-project

Option 2: From GitHub Source

# Clone and use immediately
git clone https://github.com/kapilduraphe/mcp-watch.git
cd mcp-watch
npm install
npm run build

# Scan GitHub repos
npm run scan:github https://github.com/user/mcp-server

# Scan local projects  
npm run scan:local /path/to/your/mcp-project

Option 3: Docker (No Installation)

# Scan without installing anything
docker run --rm mcp-watch scan https://github.com/user/mcp-server
docker run --rm -v $(pwd):/workspace mcp-watch scan-local /workspace

Installation

Global Installation

npm install -g mcp-watch

Local Installation

npm install mcp-watch

From Source

git clone https://github.com/kapilduraphe/mcp-watch.git
cd mcp-watch
npm install
npm run build

Docker Installation 🐳

Quick Start with Docker

# Build and run locally
docker build -t mcp-watch .
docker run --rm mcp-watch scan https://github.com/user/mcp-server

# Build from source
git clone https://github.com/kapilduraphe/mcp-watch.git
cd mcp-watch
docker build -t mcp-watch .

Docker Compose (Recommended for Production)

# Build and run with Docker Compose
docker compose build
docker compose up mcp-watch

# Or run a one-off scan
docker compose run --rm mcp-watch scan https://github.com/user/repo

Docker Features

• 🔒 Security: Non-root user, minimal attack surface
• 📦 Optimized: Multi-stage builds, Alpine Linux base
• 🚀 Production: Ready for deployment and CI/CD
• 🧹 Simplified: Single optimized Dockerfile for all use cases

Usage

Command Line

Scan GitHub Repositories

# Scan a GitHub repository
mcp-watch scan https://github.com/user/mcp-server

# Scan with JSON output
mcp-watch scan https://github.com/user/mcp-server --format json

# Filter by severity
mcp-watch scan https://github.com/user/mcp-server --severity high

# Filter by category
mcp-watch scan https://github.com/user/mcp-server --category credential-leak

Scan Local Projects

# Scan current directory
mcp-watch scan-local .

# Scan specific directory (absolute path)
mcp-watch scan-local /path/to/your/mcp-project

# Scan specific directory (relative path)
mcp-watch scan-local ../my-mcp-server

# Local scan with JSON output
mcp-watch scan-local . --format json

# Local scan with severity filter
mcp-watch scan-local . --severity high

Installation Method Usage

From NPM Package

# Global installation (recommended)
npm install -g mcp-watch
mcp-watch sc

... [View full README on GitHub](https://github.com/kapilduraphe/mcp-watch#readme)