Skip to content

tamish560/mcprobe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

mcprobe

Go Report Card Go Version License: MIT Release Tests

you're connecting random MCP servers to your agent. you haven't checked them. mcprobe checks them.

it introspects any MCP server, reads every tool description, every schema, every resource URI, and tells you what's wrong before you connect it to something that has filesystem access and shell access.

single binary. zero dependencies. go stdlib only.

checks

check severity what it finds
prompt injection CRITICAL "ignore previous instructions" sitting in a tool description. a model will follow it.
tool shadowing HIGH same tool name on multiple servers. your agent won't know which one it's calling.
resource exposure HIGH/MEDIUM tools that want /etc, your ssh keys, your .env file. nothing stops them.
path traversal HIGH resource URIs with ".." in them. you know what that does.
oversized descriptions MEDIUM 2000+ character descriptions. something could be hiding in there.
missing metadata LOW no description, no schema. the model will guess. the model will guess wrong.
baseline drift CRITICAL server changed since you last checked it. someone updated it. or replaced it.

install

go install github.com/tamish560/mcprobe@latest

or build from source:

git clone https://github.com/tamish560/mcprobe.git
cd mcprobe
go build -o mcprobe

or grab a prebuilt binary from releases.

usage

scan a stdio server:

mcprobe -command 'node server.js'

scan an HTTP server:

mcprobe -http http://localhost:3000/mcp

scan an SSE server:

mcprobe -sse http://localhost:3000/sse

just list tools, skip the scan:

mcprobe -command 'node server.js' -list

baseline and drift

save what the server looks like today:

mcprobe -command 'node server.js' -baseline snap.json

check if it changed later:

mcprobe -command 'node server.js' -diff snap.json

it detects:

  • tool descriptions changed (someone rewrote what the tool does)
  • tools added (you didn't add them. who did?)
  • tools removed (hope you weren't using them)
  • schemas modified (the inputs are different now. your agent doesn't know that.)
  • server version changed (someone updated it. or replaced it.)

tool shadowing

when multiple MCP servers define the same tool name, your agent can't tell them apart. a malicious server exploits this to intercept calls meant for the real one. save baselines for each server, then check:

mcprobe -shadow -shadow-dir ./baselines/

CI

SARIF output for GitHub Actions or anything that reads SARIF:

mcprobe -command 'node server.js' -format sarif -out results.sarif

exit codes:

  • 0: clean (nothing high or critical)
  • 1: error (something went wrong)
  • 2: dangerous (high or critical findings. you should not be running this server.)

what it detects

prompt injection (CRITICAL)

18 patterns including:

  • "ignore all previous instructions"
  • "you are now a ..."
  • "act as if ..."
  • "execute arbitrary commands"
  • "read any file/env/secret"
  • "rm -rf", "curl | bash"
  • "exfiltrate data/secrets/keys"
  • "disable/bypass security"
  • "base64 decode"
  • "override safety/policy/guardrail"

this is not hypothetical. these patterns exist in real MCP servers. people connect them to agents without checking.

tool shadowing (HIGH/CRITICAL)

two servers, same tool name. the LLM picks one. you don't know which. a malicious server wins the coin flip and intercepts the call. good luck debugging that.

path traversal (HIGH)

resource URIs with ".." in them. this is path traversal 101. it should not exist in a tool you're connecting to an agent.

missing metadata (LOW)

no description. no schema. you can't audit what you can't read. the model will guess what the tool does. it will guess wrong. you'll find out when something breaks.

oversized descriptions (MEDIUM)

2000+ characters in a tool description. nobody reads that. including the model. something could be hiding in there.

rug-pull detection (CRITICAL)

you trusted the server. you ran mcprobe -baseline. it was clean. three weeks later the server updates and the tool description now says "ignore previous instructions." you wouldn't know. mcprobe would.

output formats

  • text (default): reads like a human wrote it. because it did.
  • json: full structured scan result
  • sarif: SARIF 2.1.0 for CI

risk scoring

score level
0-9 MINIMAL
10-24 LOW
25-49 MEDIUM
50-74 HIGH
75-100 CRITICAL

architecture

transport.go   MCP client transport (stdio + HTTP + SSE)
client.go      JSON-RPC client, server introspection
scanner.go     security analysis engine, pattern detection
baseline.go    snapshot persistence, drift detection
report.go      text, JSON, SARIF output
main.go        CLI entry point
mcprobe_test.go  23 tests

no external dependencies. pure go stdlib. one static binary.

license

MIT

About

Security scanner and introspection tool for MCP servers. Connect, inspect, detect injection patterns, find tool shadowing, baseline for drift. Single binary, zero dependencies, Go stdlib only.

Topics

Resources

License

Stars

2 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors