SecureMCP
SecureMCP is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction). It proactively identifies threats like OAuth token
What is SecureMCP?
SecureMCP is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to securemcp is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [model context protocol (mcp)](https://modelcontextprotocol.io/introduction). i...
SecureMCP is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction). It proactively identifies threats like OAuth token
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- SecureMCP is a security auditing tool designed to detect vul
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx securemcpConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use SecureMCP
SecureMCP is a Go-based security auditing CLI tool purpose-built to detect vulnerabilities and misconfigurations in applications that use the Model Context Protocol. It scans MCP server endpoints for OAuth token weaknesses (format validation, expiration, JWT analysis), prompt injection vulnerabilities (system prompt override and role confusion detection), and authentication/server integrity issues (SSL/TLS validation, security headers). Security teams and MCP server developers can use it to proactively identify threats before deployment, with findings exported as structured HTML or JSON reports.
Prerequisites
- Go 1.21 or higher (for building from source) or Docker for the container image
- Network access to the MCP server endpoint you want to audit
- The target MCP server must be running and reachable at a URL
- No API keys required for SecureMCP itself
Clone the repository and build SecureMCP
Clone the SecureMCP repository and compile the Go binary using make. This produces a `securemcp` executable in the current directory.
git clone https://github.com/makalin/SecureMCP.git
cd SecureMCP
make buildAlternatively, pull and run the Docker image
If you prefer not to install Go, use the Docker image to run SecureMCP without any local build steps.
docker pull makalin/SecureMCP
docker run --rm makalin/SecureMCP scan --target https://your-mcp-server.com --scan-oauth --scan-prompt-injectionRun a full security scan against your MCP server
Execute a comprehensive scan with all detection modules enabled against your target MCP server URL. This covers OAuth tokens, prompt injection, and authentication checks.
./securemcp scan --target https://your-mcp-server.com \
--scan-oauth \
--scan-prompt-injection \
--scan-authentication \
--report htmlRun a targeted prompt injection scan
If you only need to check for prompt injection vulnerabilities such as system prompt overrides and role confusion attacks, run a targeted scan with only the relevant flag.
./securemcp scan --target https://your-mcp-server.com \
--scan-prompt-injection \
--timeout 30s \
--report jsonReview the generated security report
Open the HTML report in a browser or parse the JSON report in your CI pipeline. Findings are classified by severity so you can prioritize remediation.
# HTML report opens in browser:
open securemcp-report.html
# JSON report for CI integration:
cat securemcp-report.json | jq '.findings[] | select(.severity == "HIGH")'SecureMCP Examples
Full scan command with all modules
Complete SecureMCP scan command targeting an MCP server with all security checks enabled and HTML report output.
./securemcp scan \
--target https://your-mcp-server.com \
--scan-oauth \
--scan-prompt-injection \
--scan-authentication \
--timeout 60s \
--report htmlPrompts to try
Example natural language questions you might ask an AI assistant about SecureMCP findings in a workflow where scan results are fed into the context.
- "I ran SecureMCP against my MCP server and got a HIGH severity OAuth token expiration finding — what does that mean and how do I fix it?"
- "Explain what a role confusion attack is in the context of MCP prompt injection and how SecureMCP detects it."
- "My SecureMCP JSON report shows missing security headers — which headers should I add and with what values?"
- "How do I integrate SecureMCP into my GitHub Actions CI pipeline to block deployments with HIGH severity findings?"Troubleshooting SecureMCP
Scan fails with connection refused or timeout
Ensure your target MCP server is running and the URL is reachable from the machine running SecureMCP. Try `curl https://your-mcp-server.com` to verify connectivity. Increase the timeout with `--timeout 120s` for slow servers.
make build fails with Go version errors
SecureMCP requires Go 1.21 or higher. Check your version with `go version` and upgrade via https://go.dev/dl/ if needed. Alternatively, use the Docker image to avoid local Go installation entirely.
HTML report is empty or shows no findings
Confirm that you are passing at least one `--scan-*` flag (e.g., `--scan-oauth`). Running the scan command without any scan flags performs no checks. Also verify the target URL responds to HTTP requests before scanning.
Frequently Asked Questions about SecureMCP
What is SecureMCP?
SecureMCP is a Model Context Protocol (MCP) server that securemcp is a security auditing tool designed to detect vulnerabilities and misconfigurations in applications using the [model context protocol (mcp)](https://modelcontextprotocol.io/introduction). it proactively identifies threats like oauth token It connects AI assistants to external tools and data sources through a standardized interface.
How do I install SecureMCP?
Follow the installation instructions on the SecureMCP GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with SecureMCP?
SecureMCP works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is SecureMCP free to use?
Yes, SecureMCP is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
SecureMCP Alternatives — Similar Security Servers
Looking for alternatives to SecureMCP? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up SecureMCP in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use SecureMCP?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.