A security scanner purpose-built for MCP servers and skill files that detects AVE vulnerabilities and produces OWASP AIVSS scores without executing any code. It runs six detection engines in parallel (regex patterns, YARA, Semgrep, LLM semantic analysis, and optional Docker sandbox), then deduplicates findings and runs toxic flow analysis to catch multi-step attack chains like credential exfiltration. The false positive reduction stack includes code fence stripping, negation context detection, and justified suppression with audit trails. You can scan local skill directories, check remote MCP servers via manifest without starting them, or pin files and detect rug pulls in git commits. Ships with 48 public vulnerability records and handles inline suppressions with required reviewer and optional expiry dates.
claude mcp add --transport stdio bawbel-scanner uvx scanner