Security scanner, traffic monitor, and dashboard for MCP servers — in one command.
🛡️ MCP Guardian
Security scanner, traffic monitor, and dashboard for MCP servers.
Why?
If you use MCP servers with Claude Desktop, Cursor, or VS Code — your agent can read files, run shell commands, hit APIs, and query databases.
Most people never audit what's actually exposed. This tool does that for you.
- Scans your configured MCP servers for security risks
- Grades each server A through F based on what tools it exposes
- Gives you a web dashboard to see everything at a glance
Quick Start
npx mcp-guardian scan
npx mcp-guardian dashboard
npx mcp-guardian monitor
No config needed. Auto-discovers servers from Claude Desktop, Cursor, VS Code, Windsurf, and Cline.
Features
Security Scanner
- Auto-discovery — finds configs across Claude Desktop, Cursor, VS Code, Windsurf, Cline, and local project files
- 10 rule categories — code execution, file system, network, database, credentials, process management, source control, browser automation, etc.
- A-F grading — per server and overall
- Static + live analysis — pattern matching for known servers, JSON-RPC for unknown ones
- JSON output — for CI/CD pipelines
$ npx mcp-guardian scan
🛡️ MCP Guardian — Overall Security Report
╔═══════════════════════════════════════════╗
║ ║
║ ██████╗ Overall Grade: D ║
║ ██╔══██╗ ████████████░░░░░░░░ 40/100 ║
║ ██║ ██║ ║
║ ██║ ██║ Servers scanned: 5 ║
║ ██████╔╝ Total tools: 24 ║
║ ╚═════╝ ║
║ ║
║ 🔴 Critical: 7 ║
║ 🟡 Warnings: 6 ║
║ 🔵 Info: 3 ║
║ ║
╚═══════════════════════════════════════════╝
Web Dashboard
npx mcp-guardian dashboard
# http://localhost:4173
Dark UI with server grade cards, findings table, tool inventory with risk tags, and real-time updates via WebSocket.
Traffic Monitor
npx mcp-guardian monitor --server filesystem
Watches MCP traffic in your terminal with color-coded methods and timestamps.
Security Rules
| ID | Category | Severity | Detects |
|---|---|---|---|
| EXEC_001 | Code Execution | 🔴 Critical | Shell commands, eval, subprocess |
| FS_001 | File System Write | 🔴 Critical | File creation, modification, deletion |
| NET_001 | Network Access | 🔴 Critical | HTTP requests, API calls |
| DB_001 | Database | 🔴 Critical | SQL queries, table modifications |
| FS_002 | File System Read | 🟡 Warning | Broad file/directory reading |
| ENV_001 | Credentials | 🟡 Warning | Env variables, secrets, tokens |
| PROC_001 | Process Mgmt | 🟡 Warning | Process spawning, signals |
| GIT_001 | Source Control | 🟡 Warning | Git push, force push |
| WEB_001 | Browser | 🔵 Info | Browser automation |
| MEM_001 | Memory | 🔵 Info | Persistent data storage |
Recognized Servers
| Server | Tools | Risk |
|---|---|---|
| server-filesystem | 8 | 🔴 High |
| server-puppeteer | 5 | 🔴 High |
| server-postgres | 3 | 🔴 High |
| server-fetch | 1 | 🔴 High |
| server-github | 4 | 🟡 Medium |
| server-slack | 2 | 🟡 Medium |
| server-memory | 2 | 🔵 Low |
Install
# npx (no install)
npx mcp-guardian scan
# global
npm install -g mcp-guardian
# dev dependency
npm install --save-dev mcp-guardian
Requires Node.js 18+.
Config Discovery
| App | Path |
|---|---|
| Claude Desktop | ~/.config/claude/claude_desktop_config.json |
| Cursor | ~/.cursor/mcp.json |
| VS Code | ~/.vscode/mcp.json |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
| Cline | ~/.cline/mcp_settings.json |
| Local | ./mcp.json or ./.mcp.json |
Or pass a custom path:
npx mcp-guardian scan --config /path/to/config.json
CI/CD
npx mcp-guardian scan --format json > report.json
Roadmap
- [x] Security scanner with A-F grading
- [x] Auto-discovery for 5+ clients
- [x] Web dashboard
- [x] Traffic monitoring
- [x] JSON output
- [ ] GitHub Action
- [ ] MCP proxy mode for full traffic interception
- [ ] Custom rule definitions
- [ ] Vulnerability database for known packages
- [ ] Slack/Discord alerts
Contributing
git clone https://github.com/panavinsingh/mcp-guardian.git
cd mcp-guardian
npm install
npm run dev scan
npm run build
See CONTRIBUTING.md.
License
MIT