MCP Scan FAQs

Question 1

What is MCP Scan?

Accepted Answer

MCP Scan is a security tool that scans Model Context Protocol (MCP) servers for common vulnerabilities like prompt injections, tool poisoning, and cross-origin escalation attacks (tool shadowing).

Question 2

Can I run MCP Scan locally?

Accepted Answer

Yes, you can run MCP Scan locally using the `--local-only` flag. This will only run local checks and won't invoke the Invariant Guardrailing API, offering a privacy-focused scan but with potentially less accurate results. An OpenAI API key is required for local-only scanning.

Question 3

What type of attacks does MCP Scan detect?

Accepted Answer

MCP Scan detects prompt injection attacks, tool poisoning attacks, and cross-origin escalation attacks (tool shadowing) in your MCP server configurations. It also offers tool pinning to detect MCP rug pull attacks.

Question 4

How does MCP Scan work?

Accepted Answer

MCP Scan searches your configuration files for MCP server configurations, connects to the servers, and retrieves tool descriptions. It then scans those descriptions for vulnerabilities using local checks and Invariant Guardrails.

Question 5

Does MCP Scan store my data?

Accepted Answer

MCP Scan does not store or log any usage data, meaning the contents and results of your MCP tool calls are not saved. However, when not running locally, tool names and descriptions are shared with invariantlabs.ai for scanning purposes.

MCP Scan

MCP Scan

Key Features

Use Cases

Key Features

Use Cases