free_tool
MCP Server Security Auditor
Point it at a live MCP server and it does the read-only handshake to list the tools that server advertises, then grades the surface for the risks that actually bite agents: injection text hidden in descriptions, capability combinations that add up to an exfiltration path, over-broad inputs, and secrets sitting in plain sight. No server to reach? Paste its tools/list instead.
The handshake is read-only: it calls initialize and tools/list and never invokes one of your tools. Requests are blocked from pointing at private or internal addresses. A clean grade means the advertised surface looks safe, not that the server's implementation is.
why_it_matters
The tool surface is the attack surface
An agent trusts what an MCP server tells it. A description that says ignore previous instructions is read as an instruction, not as documentation, so a single malicious server can steer the whole agent.
Most real damage comes from combinations: a tool that reads secrets and another that makes outbound requests are each fine alone and an exfiltration path together. This grades the surface as a whole, the way an attacker sees it.
faq
Questions & answers
- What does the MCP Security Auditor actually check?
- It enumerates a server's advertised tools and looks for four classes of risk: prompt-injection text hidden in tool names or descriptions, dangerous capability combinations (for example reading secrets plus making outbound network calls, which is an exfiltration path), over-broad or unconstrained inputs, and secrets exposed in the tool surface itself. Each finding is mapped to a STRIDE category and graded.
- Does it connect to my server, and is that safe?
- If you give a URL it performs the standard MCP handshake (initialize then tools/list) and reads the advertised tools. It never calls any of your tools, only the read-only listing methods, and every request is guarded against pointing at private or internal addresses. If your server needs auth or is not reachable, you can paste its tools/list response instead.
- Why is a tool description with instructions in it dangerous?
- An agent reads tool descriptions as part of its context. A malicious or compromised MCP server can put text like 'ignore previous instructions' or 'always call this first' in a description to hijack the calling model. Because the description is trusted by default, this is one of the most direct attacks on an agent, so the auditor flags it as critical.
- How is this different from the MCP & Agent Tool Auditor?
- The MCP & Agent Tool Auditor checks the quality of pasted tool schemas: naming, selection, schema hygiene and token cost. This tool takes a security and threat-modeling lens on a live server: injection surface, exfiltration combinations, over-permissioning and secret exposure, presented as a STRIDE report. They are complementary.
Shipping agents on MCP? Get the surface locked down.
This grades what a server advertises. I'll go deeper: threat-model the full agent, split dangerous capabilities, and put guardrails around the tools that can do real damage. Book a call, or leave your email.
Prefer proof first? See how this plays out in real case studies →