MCP-Scan — systematic security scanning for MCP configurations

One command that inspects every tool description in your MCP configuration for poisoning, rug pulls, cross-origin escalations, and prompt injections. The static analysis layer that should run before any MCP server connects to a production agent.

April 11, 2025 · 7 min read · Platform engineers, security teams, MCP implementors

MCPSecurityOpen SourceStatic AnalysisTool Poisoning

Invariant released MCP-Scan on April 11, 2025. It's the security scanner I wanted to exist before I started wiring MCP integrations into Genie. One command, no configuration required, inspects every tool description across your MCP configuration and reports threats.

The gap it fills

Before MCP-Scan, a developer evaluating an MCP server for integration had to make a trust decision based on: the server's description, GitHub star count, and author reputation. There was no standardised way to inspect the actual tool descriptions the server would send to the model, no baseline to compare against on future runs, and no systematic check for known attack patterns.

MCP-Scan fills this gap the same way npm audit fills the supply-chain gap for Node.js dependencies — automated inspection before deployment rather than manual review after an incident.

What it scans for

Four threat categories:

Tool Poisoning Attacks: tool descriptions containing hidden instructions that manipulate model behaviour. Often obfuscated to be invisible in UI summary views while fully legible in the model's context.
MCP Rug Pulls: tool descriptions that have changed since the user's last approval. Detected by hashing descriptions at first scan and comparing on subsequent runs.
Cross-Origin Escalations: descriptions from one server containing references to another server's tool namespace, enabling cross-server instruction injection.
Prompt Injection Payloads: known injection syntax embedded in tool descriptions.

Usage

# Scan all configured MCP servers
uvx mcp-scan@latest

# Inspect full tool descriptions for manual review
uvx mcp-scan@latest inspect

The inspect command is particularly useful: it outputs the exact text each tool description sends to the model, making it straightforward to review manually or pipe into additional analysis.

Tool pinning — the rug-pull defence

On first scan, MCP-Scan hashes every tool description and stores the hash. On subsequent scans, it recomputes and alerts if anything has changed. This is the structural defence against post-approval description modifications: you approve once, MCP-Scan detects any subsequent drift.

Static vs runtime

MCP-Scan operates at install and validation time — equivalent to running a static analyser before deployment. For runtime interception (catching injection patterns during live agent sessions), the complement is MCP-Scan in proxy mode or Invariant Gateway with Guardrails.

Mode	When	What it catches
Scan (static)	At setup / scheduled	Poisoned descriptions, rug pulls at rest
Proxy (runtime)	During live sessions	Dynamic injection, toxic agent flows

I run MCP-Scan against Genie's MCP configuration as part of the pre-deployment checklist. It takes about three seconds and gives me a baseline hash for every tool description. Any description drift shows up on the next scan before it can affect a production session.

Source: Invariant Labs — Introducing MCP-Scan · GitHub