Free security research tool

Most MCP servers ship wide open.
Is yours one of them?

Paste your MCP server configuration below. We check it against the same failure patterns we're seeing across the ecosystem right now — no signup, nothing stored.

40+
MCP-related CVEs disclosed across the ecosystem, Jan–Apr 2026
1 in 3
Scanned public MCP servers showed an SSRF-class exposure
7
Common misconfiguration patterns this tool checks for
The checker

Paste your config

Drop in your MCP server's JSON configuration or manifest. This is a static analysis — we read the structure you paste, we don't reach out to your server or your network.

This tool analyzes the configuration you paste for known misconfiguration patterns. It does not perform live network scanning, penetration testing, or exploit verification — treat findings as a starting point for review, not a certification.
A
Overall grade
No significant issues found
Methodology

What this checks — and what it doesn't

01 — Authentication

Flags configs with no discernible auth mechanism (API key, bearer token, OAuth) on any exposed tool or endpoint.

02 — Scope & permissions

Flags wildcard or overly broad tool permissions (e.g. a "*" scope on a shell or file-write capable tool).

03 — Transport security

Flags plaintext HTTP endpoints and servers bound to all interfaces (0.0.0.0) without an access restriction.

04 — Secret exposure

Flags API keys, tokens, or credential-shaped strings committed directly into the configuration file.