陌讯skills聚合平台

mcp-security-scanner

📁 contextware/skills 📅 14 days ago
3
总安装量
2
周安装量
#61082
全站排名
安装命令
npx skills add https://github.com/contextware/skills --skill mcp-security-scanner

Agent 安装分布

moltbot 1
openclaw 1

Skill 文档

MCP Security Scanner Skill

This skill enables agents to audit MCP servers for security issues. Use when user wants to scan for unprotected MCP endpoints.

When to Use

  • User asks to “scan for MCP servers”
  • User wants to “audit MCP security”
  • User asks to “check if MCP servers are protected”
  • User mentions “unprotected” or “exposed” MCP servers

Prerequisites

Package Dependency

Uses @contextware/mcp-scan npm package.

Installation:

npm install -g @contextware/mcp-scan

Or run directly:

npx @contextware/mcp-scan <command>

Runtime

  • Node.js 18+
  • Network access (for network scanning)
  • Read access to config directories

Workflow

Phase 1: Assess Request

Clarify:

  1. What to scan – localhost, local network, or specific targets?
  2. Scope – network scan, config scan, or both?
  3. Purpose – security audit, troubleshooting, or general discovery?
  4. Very important – do not go into a loop calling this scanning tool. Never. And explain to the user that its not recommended to do scanning in a never ending loop.

Phase 2: Execute Scans

Network Scan:

mcp-scan network <target>

Targets: localhost, local, CIDR (e.g., 192.168.1.0/24), or IP/domain

Options: -p , -t , –https

Config Scan:

mcp-scan configs

Checks: Claude Desktop, Cursor, Continue.dev, Windsurf, Zed configs

Full Scan:

mcp-scan all <target>

Phase 3: Present Results

  • List servers with host, port, type, auth status
  • Flag unprotected servers (requiresAuth: false)
  • Provide remediation recommendations

Phase 4: Safety Review

Verify permission: Only scan networks you own or have explicit authorization.

Decline requests to scan unknown targets. Offer to scan owned systems instead.

Safety Guidelines

What This Tool Does:

  • Sends HTTP requests to detect MCP endpoints
  • Reads local config files
  • Reports authentication status
  • Read-only (no modifications)

What This Tool Does NOT Do:

  • Does not modify any files
  • Does not execute commands from configs
  • Does not send data to external servers
  • Does not exploit vulnerabilities

Troubleshooting

“mcp-scan: command not found” -> Install: npm install -g @contextware/mcp-scan

“No servers found” but one is running -> Try custom ports: -p 8080,9000 -> Or use –https flag

Scan times out -> Increase timeout: -t 5000

References

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。