Get the FREE Ultimate OpenClaw Setup Guide →

MCP-Scanner

Advanced Shodan-based scanner for discovering, verifying, and enumerating Model Context Protocol (MCP) servers and AI infrastructure tools over HTTP & SSE.

Installation
Run this command in your terminal to add the MCP server to Claude Code.
Run in terminal:
View docs
Command
claude mcp add --transport stdio knostic-mcp-scanner python mcp_scanner.py --api-key YOUR_SHODAN_API_KEY \
  --env SHODAN_API_KEY="Your Shodan API key"

How to use

The MCP-Scanner is a security research tool that uses the Shodan search engine to locate publicly accessible MCP (Model Context Protocol) servers and assess their security posture. It can test multiple transport methods (HTTP and Server-Sent Events), verify protocol compliance, enumerate available tools and capabilities, and produce comprehensive reports in JSON, CSV, and human-readable formats. This enables researchers to map the presence of MCP implementations and understand potential exposure in an organization’s infrastructure.

To use the scanner, provide a Shodan API key and run the main script. The tool supports customizing search scope and output through command-line options. After execution, examine the generated outputs to review verified MCP servers, their detected tools, and any noted misconfigurations. This is useful for risk assessment, inventorying MCP deployments, and guiding responsible disclosure or remediation efforts.

How to install

Prerequisites

  • Python 3.7 or higher
  • A Shodan API key (required for scanning)
  • Git (to clone the repository)

Installation steps

  1. Clone the repository git clone https://github.com/knostic/MCP-Scanner.git cd MCP-Scanner

  2. Install Python dependencies pip install shodan requests aiohttp

    Or, if a requirements.txt is provided

    pip install -r requirements.txt

  3. Set up your environment

    • Ensure you have a Shodan API key. Export it as an environment variable if preferred: export SHODAN_API_KEY=YOUR_SHODAN_API_KEY

  4. Run the scanner python mcp_scanner.py --api-key YOUR_SHODAN_API_KEY

Notes

  • You can customize output and concurrency with additional options (e.g., --max-results, --max-concurrent, --output).
  • If you plan to run multiple scans, consider using a dedicated virtual environment or container to isolate dependencies.

Additional notes

Tips and common considerations:

  • Always obtain explicit authorization before scanning networks or devices not owned by you.
  • Monitor API usage to respect rate limits and avoid blocking by Shodan.
  • The scanner reports discovered tools and capabilities; use this for inventory and security hardening rather than exploitation.
  • If you encounter connectivity issues, verify network access and firewall rules, and ensure your API key is valid.
  • Environment variables: keep your API keys secure. Do not commit keys to version control or expose them in logs.

Related MCP Servers

code-mode

1.3k

🔌 Plug-and-play library to enable agents to call MCP and UTCP tools via code execution.

mysql_mcp_server

1.1k

A Model Context Protocol (MCP) server that enables secure interaction with MySQL databases

mcp-for-security

558

MCP for Security: A collection of Model Context Protocol servers for popular security tools like SQLMap, FFUF, NMAP, Masscan and more. Integrate security testing and penetration testing into AI workflows.

MCPHammer

20

MCP security testing framework for evaluating Model Context Protocol server vulnerabilities

skill-to

16

Convert AI Skills (Claude Skills format) to MCP server resources - Part of BioContextAI

Convert-Markdown-PDF

14

Markdown To PDF Conversion MCP

Sponsor this space

Reach thousands of developers