MCP.so
Sign In

MCP-Shield

@riseandignite

About MCP-Shield

Security scanner for MCP servers

Basic information

Category

Other

License

MIT

Runtime

node

Transports

stdio

Publisher

riseandignite

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "mcp-shield": {
      "command": "npx",
      "args": [
        "mcp-shield"
      ]
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is MCP-Shield?

MCP-Shield scans your installed MCP (Model Context Protocol) servers and detects vulnerabilities such as tool poisoning attacks, data exfiltration channels, and cross-origin escalations. It is for developers and security teams who integrate MCP servers into AI workflows.

How to use MCP-Shield?

Run npx mcp-shield to scan standard MCP configuration locations. Use --path <path> to scan a specific config file, --claude-api-key <key> for enhanced AI analysis, --identify-as <client> to test client‑specific behavior, and --safe-list <servers> to exclude trusted servers. Run npx mcp-shield -h for full help.

Key features of MCP-Shield

  • Detects hidden instructions, exfiltration, and tool shadowing
  • Identifies sensitive file access attempts
  • Detects cross‑origin violations between servers
  • Supports Cursor, Claude Desktop, Windsurf, VSCode, Codeium configs
  • Optional Claude AI integration for deeper analysis
  • Safe‑list functionality to exclude trusted servers

Use cases of MCP-Shield

  • Scan new MCP servers before adding them to your environment
  • Regular security audits of your MCP configuration
  • Validate security during MCP server development
  • Verify no regression after updating MCP servers

FAQ from MCP-Shield

What vulnerability types does MCP-Shield detect?

It detects tool poisoning with hidden instructions, data exfiltration channels, tool shadowing and behavior modification, sensitive file access attempts, and cross‑origin violations between servers.

How do I use MCP-Shield with the Claude API?

Pass the --claude-api-key YOUR_API_KEY flag when running the scan. This enables AI‑powered analysis that provides detailed risk assessments and explanations for each detected vulnerability.

Can I scan a specific configuration file?

Yes, use the --path <path> option to point to a specific MCP config file (.mcp/*.json or claude_desktop_config.json). If omitted, MCP-Shield scans standard locations on your system.

Does MCP-Shield support a safe list?

Yes, use --safe-list "server1,server2" to exclude those servers from scanning and from cross‑origin violation detection.

What MCP client configurations does it support?

It supports Cursor, Claude Desktop, Windsurf, VSCode, and Codeium configuration files.

Comments

More Other MCP servers