Do I need to be a developer to understand the report?

No, the skill defaults to plain-language assessments and uses everyday analogies to explain security concepts to non-technical users.

What security risks does it look for?

It checks for critical vulnerabilities including hardcoded secrets, command injection, data exfiltration, and other OWASP MCP Top 10 categories.

Can it scan private repositories?

Currently, the skill requires public access to the source code to perform its security, functional, and legal analysis.

What repositories can MCP Scanner analyze?

It can scan GitHub repositories, npm packages, PyPI packages, and direct source file links to provide a comprehensive evaluation.

MCP Scanner

Name: MCP Scanner
Author: jbdamask

byjbdamask

•

Security & Testing

Evaluates third-party Model Context Protocol (MCP) servers for security vulnerabilities, functionality, and legal compliance before installation.

MCP Scanner provides a comprehensive safety net for developers and users exploring the Model Context Protocol ecosystem. By fetching and analyzing source code from repositories like GitHub, npm, and PyPI, the skill identifies potential security risks such as hardcoded secrets or command injection, verifies legal compliance via license checks, and assesses whether the tool's features align with user requirements. It bridges the gap between technical complexity and user safety by delivering clear, jargon-free assessments while offering deep-dive technical reports based on the OWASP MCP Top 10 upon request.

Key Features

01Automated security auditing against OWASP MCP Top 10 standards

02Source code analysis to detect malicious patterns and hardcoded secrets

03Plain-language safety reports using intuitive real-world analogies

04Functionality assessment to confirm the tool meets specific user needs

05Legal and licensing compliance verification for commercial or personal use

061 GitHub stars

Use Cases

01Verifying if an npm-based MCP package has a permissive license for enterprise or commercial use

02Performing a technical security audit on an unmaintained MCP server to identify potential risks

03Checking the safety of a new GitHub-hosted MCP tool before adding it to your Claude environment

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jbdamask/john-claude-skills mcp-scanner

For use in Claude.ai and ChatGPT

Download Skill