Scan source code repositories for MCP configurations, dependencies, and server definitions.
Scan your local machine for MCP configurations in Claude Desktop, Cursor, VS Code, and other applications.
Download CLI Tool
The CLI tool scans your local computer for MCP configurations in:
- Claude Desktop - Anthropic's desktop application
- Cursor - AI-powered code editor
- VS Code - With Continue extension
- Windsurf - Codeium's editor
- Zed - Modern code editor
- Project folders - .mcp/ directories, mcp.json files
Verify integrity:
shasum -a 256 mcp-audit-cli.zip
Expected: 4917a451742038355265b0d9a74c0bb2b3a5ada28798ce3dd43238a8defcaa73
Installation Instructions
Download the ZIP file above and extract it to a folder
Open Terminal (Mac) or Command Prompt (Windows)
cd mcp-audit-cli
pip install -e .
mcp-audit scan
Requirements: Python 3.9 or higher
Don't have Python? Download Python
CLI Commands
mcp-audit scan
Scans your local machine for all MCP server configurations.
Detects exposed secrets, catalogs API endpoints, and identifies risk flags.
Provides remediation guidance with provider-specific rotation links.
mcp-audit scan --secrets-only
Shows only detected secrets (API keys, tokens, passwords) in your MCP configs.
Includes severity levels: Critical, High, Medium.
Each finding includes step-by-step remediation with rotation URLs.
mcp-audit scan --apis-only
Shows the API inventory - all endpoints your MCPs connect to.
Categorizes by type: Database, REST API, SSE, SaaS, Cloud.
Credentials in URLs are automatically masked for safe display.
mcp-audit scan --models-only
Shows only detected AI models configured in your MCPs.
Identifies models from OpenAI, Anthropic, Google, Meta, Mistral, and local Ollama.
Shows hosting type (Cloud vs Local) for each model.
mcp-audit scan --verbose
Runs the same scan but with detailed output for each step.
Shows exactly which configuration files are being checked.
Useful for troubleshooting or understanding what the tool is doing.
mcp-audit registry
Displays the complete list of known MCP servers in our database.
Shows provider, risk level, and description for each registered MCP.
Helps you identify whether an MCP is from a trusted source.
mcp-audit registry --risk critical
Filters the registry to show only MCPs with critical risk level.
Critical MCPs have access to databases, cloud infrastructure, or shell commands.
Use this to quickly identify the most sensitive MCP servers in your environment.
mcp-audit scan --format json -o results.json
Exports your scan results to a JSON file for further analysis.
Perfect for integrating with other security tools or CI/CD pipelines.
Also supports CSV and Markdown formats for reports and documentation.
mcp-audit scan --format cyclonedx -o ai-bom.json
Exports AI Bill of Materials (AI-BOM) in CycloneDX 1.6 format.
Industry-standard format for AI supply chain security and compliance.
Use --format cyclonedx-xml for XML output.
mcp-audit scan --email user@example.com
Sends a professional PDF security report to the specified email.
Includes executive summary, findings, and remediation guidance.
Great for sharing results with security teams or compliance audits.