Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to ideas
clawsmith.com/idea/scan-mcp-servers-for-security-violations-before-publish
IdeaCompetitiveCLISECURITYMCPLive

A CLI tool that scans MCP servers for SSRF vulnerabilities, prompt injection paths, and protocol spec violations before they are published to any registry

36.7% of the 14,000+ public MCP servers in 2026 contain SSRF vulnerabilities, and researchers have demonstrated active retrieval of AWS IAM keys via prompt injection against first-party servers from Anthropic and Microsoft. MCP server builders currently ship to Smithery, Glama, and the official registry with no automated pre-publish security or spec-compliance check -- only manual code review and ad-hoc testing with MCP Inspector. This tool gives MCP server authors a single CLI command to catch SSRF paths, unsafe URL handling, missing auth, prompt-injectable tool descriptions, and protocol spec deviations before a server reaches any registry or gets installed by 97M SDK users.

Demand Breakdown

HN
1,074
GitHub
120

Social Proof 2 sources

HN
OpenAI adds MCP support to Agents SDK
@gronky_ · 2025-03-26
1,074GH
Security Advisory: SSRF, Indirect Prompt Injection, and sandbox bypass in @modelcontextprotocol/server-puppeteer
@joergmichno · 2026-02-01
120

Gap Assessment

CompetitiveMultiple tools exist but differentiation opportunities remain

4 tools exist (MCP Inspector, Smithery, Glama, Truefoundry MCP Gateway) but gaps remain: No security scanning for SSRF, prompt injection, or auth gaps. No pre-publish compliance gate. Not designed for CI/CD integration or batch server auditing.; No security vetting of listed servers. No publisher-side compliance check before listing. Servers with SSRF vulnerabilities ship freely to any installer..

Features2 agent-ready prompts

Static SSRF path scanner that walks MCP server source code and flags every URL-accepting parameter that lacks allowlist or scheme validation
Prompt injection detector that scores every tool description and resource response template against a curated injection pattern library and outputs a graded compliance report

Competitive LandscapeFREE

ProductDoesMissing
MCP InspectorOfficial Anthropic tool for protocol-level debugging and real-time communication log inspection during developmentNo security scanning for SSRF, prompt injection, or auth gaps. No pre-publish compliance gate. Not designed for CI/CD integration or batch server auditing.
SmitheryRegistry of 7,000+ MCP servers with install commands, search, and hosted remote serversNo security vetting of listed servers. No publisher-side compliance check before listing. Servers with SSRF vulnerabilities ship freely to any installer.
GlamaLargest MCP directory with 21,000+ servers, visual previews, and daily updatesNo automated security scanning of listed servers. Discovery only, no compliance enforcement for publishers before a server is indexed.
Truefoundry MCP GatewayEnterprise MCP gateway with RBAC, centralized API key management, and input filtering for prompt injection at the consumption sideOperates at runtime consumption layer, not at server build/publish time. Builders still ship insecure servers before the gateway catches issues downstream.

Leads25BUILDER

@gronky_
@wat10000
@itaiwins
@joergmichno
@soulofmischief
@ressl
@anonymousDan
@lbeurerkellner
25 people already want this

Sign in to unlock full access.

Aggregate Score
1,074
25 leads found
Details
TypeProduct Idea
Competitors4
Features2
Issues2
Leads25
Source Signals
All signals →
1.1KOpenAI MCP Support in Agents SDK Signals Full Ecosystem Lock-In
Related Ideas
All ideas →
0A CLI tool that scans any public MCP server for SSRF, missing auth, and stdio RCE flaws before a developer adds it to their agent config0A CLI tool that generates a go/no-go security report for OpenClaw deployment decisions by scoring CVE exposure, skill supply chain risk, and trust indicators0A CLI scanner that audits an OpenClaw deployment against government advisory requirements and the 138+ known CVEs, then outputs a compliance report
Tags
CLISECURITYMCPDEVTOOLCOMPLIANCE