mcpsec

mcpsec is a security scanner and protocol fuzzer designed to assess and exploit MCP servers in a controlled way. It connects to live MCP servers, enumerates their attack surface, and runs a suite of security scanners to identify potential weaknesses. The tool also generates fuzz cases to probe the server behavior under varied inputs, and it offers AI-assisted payload mutations and exploitation workflows to validate findings. Typical workflows include scanning a local or remote MCP server via stdio or HTTP, fuzzing with various intensities, and auditing code or repositories for MCP-related security issues. You can use mcpsec to assemble an evidence-based security assessment with PoC payloads and structured reports. The CLI supports multiple modes such as scan, fuzz, audit, sql, chains, exploit, and rogue-server, enabling a comprehensive security evaluation of MCP-based tools.

Prerequisites:

• Python 3.11 or newer
• pip (comes with Python)

1. Create a virtual environment (optional but recommended):

python -m venv venv
source venv/bin/activate  # on Unix/macOS
venv\Scripts\activate.bat # on Windows

2. Install mcpsec from PyPI:

pip install mcpsec

3. (Optional) Install AI features and providers:

pip install 'mcpsec[ai]'

4. Verify installation:

mcpsec --help

5. Run the MCP server using the Python module interface:

python -m mcpsec --help

Tips and notes:

• Environment variables can customize AI provider usage and output formats; consult the package documentation for supported providers and options.
• Ensure network access to the target MCP server when using --stdio or --http modes.
• For large fuzz campaigns, consider using high-intensity settings carefully to avoid overloading the target.
• When auditing GitHub repositories, you can point mcpsec audit to external sources and optionally enable AI validation for findings.
• If you encounter permission or path issues, verify your Python environment and that the mcpsec CLI is on your PATH after installation.