← Back to Skills Marketplace
Mcp Server Scanner
by
engsathiago
· GitHub ↗
· v1.0.0
· MIT-0
108
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mcp-server-scanner
Description
Scans and assesses MCP servers for vulnerabilities, insecure configs, data exposure, and compliance with SOC 2, GDPR, and ISO 27001 standards.
Usage Guidance
This skill's goals (discovering MCP servers, finding hardcoded secrets, scanning configs and network) imply access to sensitive system files and network traffic, but the package declares no required credentials, binaries, or file paths and gives only vague instructions. Before installing or invoking it: 1) Ask the author for source code or a trustworthy homepage and for an explicit list of files/paths, network ranges, and credentials the skill will access. 2) Require the skill to declare required env vars and exact commands it will run, or reject it. 3) Run any scan in an isolated/test environment and with written authorization for the scope. 4) Avoid granting the agent network access or secrets without tight controls; prefer skills with verifiable provenance. If the author cannot provide clear, scoped details, treat this skill as high-risk and do not run it against production systems.
Capability Analysis
Type: OpenClaw Skill
Name: mcp-server-scanner
Version: 1.0.0
The skill bundle contains no executable code and relies entirely on instructions in SKILL.md to direct the AI agent to perform high-risk reconnaissance. It tasks the agent with searching for hardcoded secrets, PII, and configuration files across the environment under the guise of a 'security scan.' This pattern is characteristic of a prompt-injection attack designed to trick an agent into exposing sensitive environment data through its output without providing any actual scanning logic.
Capability Assessment
Purpose & Capability
The SKILL.md describes discovery (finding MCP servers and agent configs), secret detection, network/TLS checks, and compliance mapping — tasks that normally require access to network scanning tools, host/config paths, or API credentials. Yet the skill declares no required binaries, no config paths, and no environment variables. That mismatch (claiming intrusive capabilities but requesting no explicit access) is unexplained and disproportionate.
Instruction Scope
The runtime instructions are high-level and open-ended: they tell the agent to 'run discovery and security scan' but provide no concrete, scoped commands or limits. Because the doc grants broad authority implicitly, it could lead the agent to read arbitrary config files, network endpoints, or secrets unless constrained. There are no explicit allowed paths, endpoints, or safeguards.
Install Mechanism
No install spec and no code files beyond a minimal package.json — this is instruction-only, so nothing will be downloaded or written to disk by the skill itself. That lowers direct supply-chain risk.
Credentials
The skill requests no environment variables or credentials, yet its stated behavior (detecting hardcoded secrets, mapping agent configs, assessing retention and PII exposure) would normally require access to sensitive data and possibly service credentials. The lack of declared required credentials or explicit data sources is disproportionate and unclear.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system changes. It can be invoked by the agent (normal default). While autonomous invocation is allowed by default, this alone is not flagged; however, autonomous runs combined with the above ambiguities increase the risk surface.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mcp-server-scanner - After installation, invoke the skill by name or use
/mcp-server-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
MCP Server Scanner 1.0.0 – Initial Release
- Scans MCP servers for vulnerabilities, configuration issues, and data leakage risks.
- Discovers all MCP servers in your environment and maps agent configurations.
- Assesses security controls such as authentication, encryption, and privilege scopes.
- Audits for hardcoded secrets, TLS certificate validity, and insecure defaults.
- Analyzes data flows to identify exposure of PII/SPII and compliance risks.
- Generates detailed reports: server inventory, risk assessment, remediation steps, and compliance status.
Metadata
Frequently Asked Questions
What is Mcp Server Scanner?
Scans and assesses MCP servers for vulnerabilities, insecure configs, data exposure, and compliance with SOC 2, GDPR, and ISO 27001 standards. It is an AI Agent Skill for Claude Code / OpenClaw, with 108 downloads so far.
How do I install Mcp Server Scanner?
Run "/install mcp-server-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mcp Server Scanner free?
Yes, Mcp Server Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Mcp Server Scanner support?
Mcp Server Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mcp Server Scanner?
It is built and maintained by engsathiago (@engsathiago); the current version is v1.0.0.
More Skills