简介
mcp-audit 是面向安全的命令行工具:先盘点 MCP 配置,再按需扫描 MCP 服务器源码,帮助团队在上线前搞清楚 Agent 到底能访问什么。
最适合: Agent 工具链安全评审、CI 合规门禁、MCP 治理
适配: 本地仓库/目录;支持 JSON/CSV/SARIF/CycloneDX 输出;命令行工作流
配置时间: 5–10 分钟
关键事实(已验证)
- README 提供
scan(配置盘点)与source-scan(源码扫描)两类命令。 - README 列出 JSON/CSV/Markdown/SARIF/CycloneDX 1.6 AI-BOM 多种输出格式。
- GitHub:149 stars · 37 forks;最近更新 2026-05-12(GitHub API 验证)。
正文
把 mcp-audit 当作“持续护栏”而不是一次性报告:
- CI 里跑
mcp-audit scan,及时发现 MCP 配置里的意外密钥暴露。 - 给自研 MCP server 放权前先跑
source-scan做基线体检。 - 如果你已在用 GitHub Code Scanning,优先输出 SARIF 让问题直接落在研发工作流里。
README 原文节选(verbatim)
MCP Audit
See what your AI agents can access - before they go live.
Web App

CLI

What It Does
MCP Audit scans your AI development tools (Claude Desktop, Cursor, VS Code) and reveals:
- Secrets - Exposed API keys, tokens, database passwords
- APIs - Every endpoint your AI agents connect to
- AI Models - Which LLMs are configured (GPT-4, Claude, Llama)
- Risk Flags - Shell access, filesystem access, unverified sources
⚠️ 2 SECRET(S) DETECTED - IMMEDIATE ACTION REQUIRED
[CRITICAL] GitHub Personal Access Token
Location: github-tools → env.GITHUB_TOKEN
Remediation: https://github.com/settings/tokens → Delete → Recreate
[HIGH] Database Connection String
Location: postgres-mcp → env.DATABASE_URL
Remediation: Rotate credentials, use secrets managerSource-level Scanning (new in v1.1)
mcp-audit scan inventories MCP server configurations. The new mcp-audit source-scan command goes one level deeper — it reads the MCP server's own source code and flags code-level vulnerabilities the server author may have introduced.
Today it catches the "Prompt In, Shell Out" attack chain: an MCP server that pipes an LLM-controlled tool argument into a shell-spawning API (child_process.exec, util.promisify(exec), subprocess.run(shell=True), os.system, os.popen) without sanitization. An attacker controlling the LLM input can inject shell metacharacters and execute arbitrary code on the host running the MCP server.
$ mcp-audit source-scan ./packages/my-mcp-server
MCP source-scan: packages/my-mcp-server
1 critical · 0 high · 1 finding(s) total
Severity Conf File:Line API Snippet
CRITICAL high server.js:19 util.promisify(child_process.exec) ... const { stdout } = await execAsync(Outputs:
--format table(default, human-readable)
FAQ
scan 会检查什么?
答:README 表示它盘点 MCP 配置并汇总访问范围。
什么时候用 source-scan?
答:自研或不确定可信度的 MCP server 建议先做源码级扫描。
CI 里用什么输出? 答:JSON 便于解析;SARIF/CycloneDX 便于接入安全平台。