SecureMCP

v1.0.0Securitystable

SecureMCP is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction). It proactively identifies threats like OAuth token

ai-securitycli-toolcli-toolsgolangllm-security
Share:
140
Stars
0
Downloads
0
Weekly
0/5

What is SecureMCP?

SecureMCP is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to securemcp is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [model context protocol (mcp)](https://modelcontextprotocol.io/introduction). i...

SecureMCP is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction). It proactively identifies threats like OAuth token

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • SecureMCP is a security auditing tool designed to detect vul

Use Cases

Detect vulnerabilities and misconfigurations in MCP-based applications.
Identify OAuth token and prompt injection security threats proactively.
makalin

Maintainer

LicenseMIT
Languagego
Versionv1.0.0
UpdatedMay 18, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx securemcp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use SecureMCP

SecureMCP is a Go-based security auditing CLI tool purpose-built to detect vulnerabilities and misconfigurations in applications that use the Model Context Protocol. It scans MCP server endpoints for OAuth token weaknesses (format validation, expiration, JWT analysis), prompt injection vulnerabilities (system prompt override and role confusion detection), and authentication/server integrity issues (SSL/TLS validation, security headers). Security teams and MCP server developers can use it to proactively identify threats before deployment, with findings exported as structured HTML or JSON reports.

Prerequisites

  • Go 1.21 or higher (for building from source) or Docker for the container image
  • Network access to the MCP server endpoint you want to audit
  • The target MCP server must be running and reachable at a URL
  • No API keys required for SecureMCP itself
1

Clone the repository and build SecureMCP

Clone the SecureMCP repository and compile the Go binary using make. This produces a `securemcp` executable in the current directory.

git clone https://github.com/makalin/SecureMCP.git
cd SecureMCP
make build
2

Alternatively, pull and run the Docker image

If you prefer not to install Go, use the Docker image to run SecureMCP without any local build steps.

docker pull makalin/SecureMCP
docker run --rm makalin/SecureMCP scan --target https://your-mcp-server.com --scan-oauth --scan-prompt-injection
3

Run a full security scan against your MCP server

Execute a comprehensive scan with all detection modules enabled against your target MCP server URL. This covers OAuth tokens, prompt injection, and authentication checks.

./securemcp scan --target https://your-mcp-server.com \
    --scan-oauth \
    --scan-prompt-injection \
    --scan-authentication \
    --report html
4

Run a targeted prompt injection scan

If you only need to check for prompt injection vulnerabilities such as system prompt overrides and role confusion attacks, run a targeted scan with only the relevant flag.

./securemcp scan --target https://your-mcp-server.com \
    --scan-prompt-injection \
    --timeout 30s \
    --report json
5

Review the generated security report

Open the HTML report in a browser or parse the JSON report in your CI pipeline. Findings are classified by severity so you can prioritize remediation.

# HTML report opens in browser:
open securemcp-report.html

# JSON report for CI integration:
cat securemcp-report.json | jq '.findings[] | select(.severity == "HIGH")'

SecureMCP Examples

Full scan command with all modules

Complete SecureMCP scan command targeting an MCP server with all security checks enabled and HTML report output.

./securemcp scan \
  --target https://your-mcp-server.com \
  --scan-oauth \
  --scan-prompt-injection \
  --scan-authentication \
  --timeout 60s \
  --report html

Prompts to try

Example natural language questions you might ask an AI assistant about SecureMCP findings in a workflow where scan results are fed into the context.

- "I ran SecureMCP against my MCP server and got a HIGH severity OAuth token expiration finding — what does that mean and how do I fix it?"
- "Explain what a role confusion attack is in the context of MCP prompt injection and how SecureMCP detects it."
- "My SecureMCP JSON report shows missing security headers — which headers should I add and with what values?"
- "How do I integrate SecureMCP into my GitHub Actions CI pipeline to block deployments with HIGH severity findings?"

Troubleshooting SecureMCP

Scan fails with connection refused or timeout

Ensure your target MCP server is running and the URL is reachable from the machine running SecureMCP. Try `curl https://your-mcp-server.com` to verify connectivity. Increase the timeout with `--timeout 120s` for slow servers.

make build fails with Go version errors

SecureMCP requires Go 1.21 or higher. Check your version with `go version` and upgrade via https://go.dev/dl/ if needed. Alternatively, use the Docker image to avoid local Go installation entirely.

HTML report is empty or shows no findings

Confirm that you are passing at least one `--scan-*` flag (e.g., `--scan-oauth`). Running the scan command without any scan flags performs no checks. Also verify the target URL responds to HTTP requests before scanning.

Frequently Asked Questions about SecureMCP

What is SecureMCP?

SecureMCP is a Model Context Protocol (MCP) server that securemcp is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [model context protocol (mcp)](https://modelcontextprotocol.io/introduction). it proactively identifies threats like oauth token It connects AI assistants to external tools and data sources through a standardized interface.

How do I install SecureMCP?

Follow the installation instructions on the SecureMCP GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with SecureMCP?

SecureMCP works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is SecureMCP free to use?

Yes, SecureMCP is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

SecureMCP Alternatives — Similar Security Servers

Looking for alternatives to SecureMCP? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "securemcp": { "command": "npx", "args": ["-y", "securemcp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use SecureMCP?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides