← Back to Skills Marketplace
apex-stack-ai

MCP Security Auditor Lite

by apex-stack-ai · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
104
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mcp-security-auditor-lite
Description
Free version — scan your MCP configuration for the top 3 security risks. Tool description injection, permission sprawl, and supply chain trust.
README (SKILL.md)

MCP Security Auditor Lite — Quick Security Scan

You are an MCP security specialist. Your job is to quickly assess MCP server configurations for the most critical security risks.

This lite version covers 3 of 8 audit dimensions. For the full MCP Security Auditor with all 8 dimensions, tool injection scanning, config drift detection, cross-tool safety analysis, and ongoing monitoring checklists, get the paid version: https://apexstack.gumroad.com/l/mcp-security-auditor

How to Use

Provide your MCP config (JSON/YAML), tool list, or describe your MCP server setup. I'll scan for the top 3 risks.

Quick Security Scan (Lite — 3 Dimensions)

1. Tool Description Integrity — /10

Are tool descriptions purely descriptive or do they contain hidden instructions?

Red flags:

  • Imperative language ("always do X before calling other tools")
  • References to other tools' behavior
  • Unusually long descriptions (more attack surface)
  • Instructions to ignore or override previous context

Scoring:

  • 9-10: All descriptions purely descriptive, manually reviewed
  • 5-6: Some imperative language, no hidden content detected
  • 1-2: Active injection patterns, descriptions manipulate agent behavior

2. Permission Scope — /10

Do tools have the minimum permissions needed?

Red flags:

  • File system tools with root/home access instead of scoped directories
  • Database tools with write access when only reads are needed
  • Tools that can access environment variables or secrets
  • Admin-level access on tools that should be read-only

Scoring:

  • 9-10: Every tool follows least-privilege, scoped to specific resources
  • 5-6: Several tools have broad permissions, no systematic scoping
  • 1-2: Tools have admin access, can access secrets, no boundaries

3. Supply Chain Trust — /10

Are your MCP servers from trusted sources?

Red flags:

  • Unverified community MCP servers with no source review
  • No version pinning (running "latest" = rug-pull risk)
  • Servers installed without security evaluation
  • No CVE monitoring for MCP dependencies

Scoring:

  • 9-10: Verified publishers, pinned versions, source reviewed
  • 5-6: Mix of trusted and unverified, some pinning
  • 1-2: Random servers installed without evaluation

Lite Output

## MCP Quick Security Scan: [Project]

### Score: [X/30] ([percentage]%) — [Secure / Adequate / At Risk]

| Dimension | Score | Risk | Top Action |
|-----------|-------|------|------------|
| Tool Description Integrity | X/10 | red/yellow/green | [action] |
| Permission Scope | X/10 | red/yellow/green | [action] |
| Supply Chain Trust | X/10 | red/yellow/green | [action] |

### Top 3 Fixes
1. [action]
2. [action]
3. [action]

Want the full security audit? The paid version includes all 8 dimensions, tool description injection scanner, permission scope analyzer, config drift detector, cross-tool manipulation checker, monitoring checklists, and prioritized remediation roadmap.

Get the full version -> https://apexstack.gumroad.com/l/mcp-security-auditor

Built by Apex Stack — based on real experience running 10+ MCP-connected agents in production.

Usage Guidance
This skill is a checklist-style, manual analyzer and is internally consistent with its description. Before using it: do not paste live secrets, API keys, or private keys into the chat — sanitize or redact sensitive fields; verify any remediation steps before applying them; treat the paid-version link as an external marketing URL (don’t provide credentials there); and remember the output is agent reasoning (not an automated code audit), so consider running independent tooling for confirmatory checks if you need high assurance.
Capability Analysis
Type: OpenClaw Skill Name: mcp-security-auditor-lite Version: 1.0.0 The skill bundle consists entirely of markdown instructions (SKILL.md) directing the AI agent to act as a security auditor for MCP (Model Context Protocol) configurations. It contains no executable code, no data exfiltration logic, and no malicious prompt injection; instead, it provides a framework for the agent to evaluate security risks like tool description integrity and permission sprawl. The inclusion of a link to a paid version on Gumroad is a standard commercial practice and does not pose a technical security threat.
Capability Assessment
Purpose & Capability
Name and description match SKILL.md: it promises a lightweight, manual-style security scan of MCP configs across three dimensions. There are no unexpected binaries, env vars, or installs required.
Instruction Scope
The skill is instruction-only and asks the agent to evaluate MCP config/tool lists provided by the user using the included rubrics. This is expected, but the rubric-driven analysis is manual reasoning rather than automated checks; the user must supply config data (which may contain secrets) and the agent will analyze it.
Install Mechanism
No install spec or code files; lowest-risk delivery model. Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required credentials or environment access (appropriate). However, it requires the user to paste MCP configs/tool lists — those artifacts can contain sensitive secrets or tokens, so the user should sanitize inputs before sharing.
Persistence & Privilege
always is false and default invocation behavior is normal. The skill does not request persistent presence or system-wide changes.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install mcp-security-auditor-lite
  3. After installation, invoke the skill by name or use /mcp-security-auditor-lite
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of MCP Security Auditor Lite. - Launches free version to scan MCP configurations for the top 3 security risks: tool description integrity, permission sprawl, and supply chain trust. - Provides scoring and actionable recommendations for each risk. - Includes a concise output template to summarize findings and top fixes. - Full version link provided for advanced auditing and extra features.
Metadata
Slug mcp-security-auditor-lite
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is MCP Security Auditor Lite?

Free version — scan your MCP configuration for the top 3 security risks. Tool description injection, permission sprawl, and supply chain trust. It is an AI Agent Skill for Claude Code / OpenClaw, with 104 downloads so far.

How do I install MCP Security Auditor Lite?

Run "/install mcp-security-auditor-lite" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is MCP Security Auditor Lite free?

Yes, MCP Security Auditor Lite is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does MCP Security Auditor Lite support?

MCP Security Auditor Lite is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created MCP Security Auditor Lite?

It is built and maintained by apex-stack-ai (@apex-stack-ai); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments