## **PoC** [mcp-scan](https://github.com/invariantlabs-ai/mcp-scan) is a security tool to scan installed MCP servers for common security vulnerabilities like prompt injections, tool poisoning and cross-origin escalations. Also provides Tool Pinning to prevent MCP rug pull attacks- detecting changes to MCP tools via hashing. ``` usage: uvx mcp-scan@latest [--storage-file STORAGE_FILE] [--base-url BASE_URL] ``` ## **Details** Developed in response to research such as [tool poisoning attack](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks) Strongly encourage folks to run MCPs as WASM VM's and not rely on scanning alone. Also continue to treat MCP's as external dependencies and carry out normal supply-chain checks and care. The latest version of MCP protocol contains some tool annotations to [help define capabilities](https://modelcontextprotocol.io/docs/concepts/tools#available-tool-annotations): | Annotation | Type | Default | Description | | ----------------- | ------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------ | | `title` | string | - | A human-readable title for the tool, useful for UI display | | `readOnlyHint` | boolean | false | If true, indicates the tool does not modify its environment | | `destructiveHint` | boolean | true | If true, the tool may perform destructive updates (only meaningful when `readOnlyHint` is false) | | `idempotentHint` | boolean | false | If true, calling the tool repeatedly with the same arguments has no additional effect (only meaningful when `readOnlyHint` is false) | | `openWorldHint` | boolean | true | If true, the tool may interact with an “open world” of external entities |