If you're letting AI agents loose with MCP servers, this catches the security holes before they bite you. It scans .mcp.json files for hardcoded API keys and tokens, flags shell injection patterns in server args, and warns when you're using @latest instead of pinned versions. The pattern matching is solid: catches GitHub tokens, OpenAI keys, AWS credentials, plus dangerous stuff like bash -c and command substitution. Honestly most valuable during code review or as a pre-commit hook. The checks are straightforward Python you can extend with your own patterns or approved server lists. Not a replacement for a real secrets scanner, but a good first line of defense for MCP-specific risks.
npx skills add https://github.com/github/awesome-copilot --skill mcp-security-audit