MCTS (Model Context Threat Scanner) is a local-first security scanner for MCP servers -- static and live tool discovery, multiple analyzers, auditable risk scores, and JSON, SARIF, and HTML output. For authors and platform teams; CI-ready, no cloud API.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"mcts": {
"args": [
"mcp-mcts"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Security scanner for Model Context Protocol (MCP) servers — the programs that give AI assistants access to tools, files, databases, and APIs.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'mcp-mcts' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked mcp-mcts against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in data / security
Query and manage PostgreSQL databases directly from AI assistants
Zero-dependency, token-efficient database MCP server for Postgres, MySQL, SQL Server, MariaDB, SQLite.
Manage Supabase projects — databases, auth, storage, and edge functions
🔥 Official Firecrawl MCP Server - Adds powerful web scraping and search to Cursor, Claude and any other LLM clients.
MCP Security Weekly
Get CVE alerts and security updates for MCTS and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Model Context Threat Scanner
Security scanner for Model Context Protocol (MCP) servers — the programs that give AI assistants access to tools, files, databases, and APIs.
Run one command to find permission issues, injection risks, attack chains, and more. Works locally, in CI, with no cloud account required.
New to MCP or MCTS? See the documentation index and glossary.
mcts scan ./server.py # single entrypoint
mcts scan ./ # entire repository
Scan the included vulnerable MCP server:
uv run mcts scan examples/vulnerable-mcp-server/server.py

$ mcts scan examples/vulnerable-mcp-server/server.py
==================== MCTS Security Report ====================
Overall Score: 1/100 (CRITICAL) ← legacy (--min-score)
Risk Index: 100/100
Scoring basis: 5 Critical, 11 High, 1 Medium (17 scorable findings)
Absolute Risk: 2260 (critical) ← v2 (--max-absolute-risk)
Security Score: 9/100 ← v2 benchmark
Severity Summary Top Findings
● Critical 5 [1] CRITICAL Destructive tool: delete_all_users
● High 11 [2] CRITICAL Read → exfiltration attack chain possible
● Medium 1 ...
Two scores on one scan is normal — see the scoring developer guide.
AI assistants connect to the outside world through MCP servers — small programs that expose callable tools (e.g. "delete user", "read file", "query database"). A misconfigured or malicious server can:
Most teams ship MCP servers without dedicated security review. MCTS makes scanning as routine as running a linter.
MCTS is alpha software with a local-first MCP security pipeline — no cloud account required for standard scans. Full reference: Security checks · CLI.
| Capability | How |
|---|---|
| Repository & entrypoint scan | mcts scan ./repo/ or mcts scan ./server.py — Python + TypeScript static discovery |
| Auto target resolution | mcts scan . --auto — pick entrypoint or lone MCP config server |
| Multi-surface analysis | --surfaces tool,prompt,resource,instruction |
| Repo instruction discovery | Default on static scans — SKILL.md, *prompt*.md, system_prompt.md → prompt/instruction analyzers |
| Live stdio probing | --live --i-understand-live-risk — merge runtime schemas with static context |
| Remote HTTP/SSE | --url + Bearer/OAuth — streamable HTTP and SSE transports |
| Air-gapped snapshot | --snapshot tools.json or mcts snapshot → offline scan |
| Machine-wide scan | mcts scan --machine-wide — all MCP servers in local client configs |
| Remote manifest probe | mcts scan-mcp <url> — pre-connect tools/list check |
| Per-technique mode | --technique MCTS-T-* — run one technique pack at a time |
| Capability | How |
|---|---|
| Core metadata checks | Permissions, poisoning, FSP, shadowing, line-jumping, jailbreak resistance |
| Source-aware SAST | Secrets, command execution, path validation in handler code |
| Behavioral static SAST | Description vs implementation mismatch + taint (Python, TS, Go, Rust) |
| Semgrep SAST (opt-in) | --semgrep — bundled rule |