Skip to content
Agentic Control Plane

MCP Server Security Scanner

Paste your tools/list response below. Get an instant security grade with specific, actionable findings.

Load example →
100% client-side. No data leaves your browser.

How to get your tools/list response

Option 1: curl (for Streamable HTTP servers)

curl -s -X POST https://your-mcp-server/endpoint \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' \
  | jq '.result.tools'

Option 2: MCP Inspector

Use the MCP Inspector to connect to any MCP server, click "List Tools", and copy the JSON response.

Option 3: From your MCP client logs

Most MCP clients (Claude Desktop, Cursor, Cline) log the tools/list response. Check the MCP logs for the tools array.

What this scanner checks

CRITICAL — Path traversal vectors, SSRF-prone URL params, command injection inputs
HIGH — SQL/query injection risks, destructive operations without safeguards
MEDIUM — Write operations without explicit scoping
LOW/INFO — Unconstrained string inputs, missing tool descriptions