One command finds cross-server attack paths, tool poisoning, typosquats, CVEs, trust issues, and supply chain risks. More signal than running Snyk + MCPShield + Enkrypt combined.
Scan your config in 10 seconds:
npx mcphoundZero install. Auto-detects Claude Desktop, Cursor, and VS Code configs.
Instant security grade
Every scan produces a single letter grade from attack paths, warnings, and CVEs.
A
90-100
Clean — minimal risk
B
75-89
Good — minor issues
C
55-74
Fair — notable risks
D
35-54
Poor — significant exposure
F
0-34
Failing — critical issues
What we detect
10 compiled regex patterns scan every tool description for prompt injection attacks: hidden instructions, safety overrides, data exfiltration commands, unicode tricks, and cross-tool manipulation.
Catches malicious packages with names suspiciously similar to legitimate ones. Uses Levenshtein distance and dehyphenation matching against 60+ known MCP packages.
Compares what a server says it does versus what it can actually do. Flags opaque tools with no descriptions, suspiciously long descriptions (injection surface), and capability/description mismatches.
Each server gets a 0-100 trust score based on package age, weekly downloads, maintainer count, and Smithery verification. Known CVEs are pulled from Google's OSV.dev database in real time.
MCPhound hashes every server's tool definitions on each scan. If a package's tools change between scans, you get a Critical alert — the package may have been compromised in a supply chain attack.
Cross-server attack paths we find
filesystem MCP
reads files from your Mac
fetch / web MCP
makes HTTP requests
Your SSH keys, .env files, source code — POSTed to an attacker
A hidden instruction in any webpage Claude visits tells it to read ~/.ssh/id_rsa and send it to attacker.com. Both servers are doing exactly what they're supposed to. The combination is the attack.
filesystem MCP
writes files anywhere
git MCP
runs git operations
Arbitrary shell commands executed on your machine
Claude writes a .gitattributes file with a filter that executes shell commands on checkout. Then uses the git MCP to trigger a git operation. Git's own filter mechanism runs the payload. Neither mcp-scan nor any individual server scanner catches this — it requires the combination.
filesystem / fetch MCP
reads external content
memory MCP
writes to AI persistent memory
Permanent backdoor in your AI's long-term memory
A malicious document or webpage injects a hidden instruction. Claude stores it in your AI memory server as a 'helpful reminder'. Every future Claude session starts poisoned — even months later, even in different contexts.
How MCPhound compares
| Capability | Snyk | MCPShield | Enkrypt | Cisco | MCPhound |
|---|---|---|---|---|---|
| Cross-server attack paths | - | - | - | - | Yes |
| Tool poisoning detection | LLM | - | - | - | Regex |
| Typosquat detection | - | Yes | - | - | Yes |
| CVE per server | - | - | Yes | - | Yes |
| Behavioral mismatch | - | - | - | Code | Yes |
| Trust scoring | - | - | - | - | Yes |
| Rug-pull detection | LLM | - | - | - | Hash |
| Security grade (A-F) | - | - | - | - | Yes |
| Remediation plan | - | - | - | - | Yes |
| GitHub Actions / SARIF | Yes | - | - | - | Yes |
| No LLM required | - | Yes | Yes | - | Yes |
How it works
Run npx mcphound
Auto-detects your MCP config file
Scan & enrich
Check for poisoning, typosquats, CVEs, and trust scores
Map attack paths
Graph analysis finds cross-server attack chains
Get your grade
A-F score with prioritized fixes
CI / CD Integration
Block PRs that introduce risky MCP configs. Fails on critical/high attack paths or warnings.
- uses: tayler-id/mcphound-action@v0
with:
api_token: ${{ secrets.MCPHOUND_API_TOKEN }}Get your token at mcphound.ai/ci/setup
Prefer a web UI? Paste your claude_desktop_config.json below. For faster results, use npx mcphound in your terminal.
Every server is checked for poisoning, typosquats, and behavioral mismatches. Every combination is tested against 16 cross-server attack patterns. Secrets are stripped before analysis.
API keys and env vars are stripped before storage. No LLM required — all checks are deterministic.