How We Built an Automated MCP Security Scanner (And What We Found)
Source: Dev.to
The Problem We Set Out to Solve
When you install an MCP server, you’re giving an AI agent a new capability. That server might read your filesystem, execute shell commands, or call external APIs. But who audited that code before it ran on your machine?
Nobody. Until now.
At AgentAudit, we built an automated multi‑agent pipeline that audits MCP servers, npm packages, pip packages, and AgentSkills — and flags security risks before your agent ever touches them.
The Architecture
Our audit pipeline runs three specialized sub‑agents in parallel, each with a different security lens:
Agent 1: Static Analysis
Scans the source code for known vulnerability patterns:
- Unsanitized shell command injection (
child_process.execwith user input) - Hardcoded credentials and API keys
- Overly broad filesystem access permissions
- Insecure deserialization
Agent 2: Capability Graph Analysis
We parse the MCP server’s tool schema declarations — the JSON descriptions of what each tool can do — and cross‑reference them against what the code actually does.
A weather MCP server that declares it only reads weather data but internally has access to your filesystem? That’s a red flag. We catch that gap.
Agent 3: Dependency Chain Auditor
Recursively scans the dependency tree for:
- Known CVEs in transitive dependencies
- Packages with unusually broad permissions
- Supply‑chain anomalies (e.g., a package that changed maintainers 2 weeks ago)
Multi‑Agent Consensus
Each agent produces a structured audit report. A consensus layer then:
- Deduplicates overlapping findings
- Assigns severity based on exploitability in an agent context
- Generates a Trust Score (0–100) for the package
Why multi‑agent consensus? Because a single model hallucinates. Three models with different system prompts, cross‑checking each other, don’t.
The Results (So Far)
After running 211 independent audit reports across 194 packages:
| Severity | Count | % of Total |
|---|---|---|
| 🔴 Critical | 5 | 4.2% |
| 🟠 High | 9 | 7.6% |
| 🟡 Medium | 63 | 53.4% |
| 🟢 Low | 41 | 34.7% |
Average Trust Score: 98/100. The MCP ecosystem is mostly safe — but those 14 critical/high findings represent real, exploitable vulnerabilities.
Most common patterns
- Shell command injection via prompt input — crafted prompts cause MCP servers to execute arbitrary shell commands
- Environment variable leakage — API keys accidentally included in LLM context windows
- Overly broad filesystem access — servers requesting full
~/access when they need one directory
What Makes MCP Security Different
Traditional scanners (Snyk, Socket) are great for known CVEs and supply‑chain risks. But MCP servers introduce a different threat model:
- The attack vector is the prompt, not the network
- The “user” is an AI agent — it won’t notice suspicious behavior
- The execution context is your local machine or production server
A package can pass every traditional security check and still be exploitable through adversarial prompts. That’s the gap we’re filling.
Try It
Audit any MCP server, npm package, or pip package at agentaudit.dev.
Full findings: State of MCP Security 2026
Every finding is cross‑validated by three independent AI agents before it reaches you.