mcp-security-inspector

MCP Security Inspector is an AI-enhanced Chrome extension designed to securely inspect MCP servers by integrating active scanning and passive monitoring with multiple LLM services. After installing and loading the unpacked extension, you can connect the extension to an MCP server by entering the server URL or address in the extension’s MCP panel, followed by any required authentication details. Once connected, you can enable either Active Scan mode to generate targeted test cases and run dynamic security tests, or Passive Monitoring mode to observe real-time MCP calls and flag potential vulnerabilities as they occur. The extension supports configuring multiple LLM providers (OpenAI, Claude, Gemini, or local Ollama) to power the analysis, and you can test connections to these services by supplying API keys and endpoint configurations.

Within the extension, you’ll find tools organized under the MCP components: tools, prompts, and resources. For each component type you can run unified security checks, view detailed reports, and export findings. Use the reporting feature to assess risk levels, review remediation suggestions, and track history across scans. The UI provides bilingual (English/Chinese) support, with real-time progress indicators during scans and a centralized dashboard to compare results across different MCP components and configurations.

Prerequisites:

• Node.js and npm installed on your development machine
• Git installed
• Optional: Chrome browser for testing the extension

Install steps:

1. Clone the repository git clone https://github.com/purpleroc/mcp-security-inspector.git cd mcp-security-inspector

2. Install dependencies npm install

3. Build the Chrome extension package npm run build:extension

4. Load the unpacked extension into Chrome

   • Open Chrome and navigate to chrome://extensions/
   • Enable Developer mode
   • Click "Load unpacked" and select the dist folder produced by the build

5. Connect to an MCP server

   • Open the extension's MCP panel
   • Enter the MCP server address and authentication details if required
   • Choose detection mode (Active Scan or Passive Monitoring) and configure detection rules

Prerequisites recap:

• A running MCP server you want to inspect
• API keys/configs for any LLM providers you intend to use
• A Chrome environment to load the extension during testing

Tips and notes:

• If you encounter CORS or extension loading issues, ensure you loaded the correct dist directory and that Developer mode is enabled in Chrome.
• When using LLM providers, keep API keys secure and consider enabling environment-specific configurations to separate development and production keys.
• The extension supports exporting reports; use this to maintain audit trails for compliance or remediation tracking.
• If your MCP server uses self-signed certificates, ensure the extension has appropriate network permissions and that the server URL is accessible from your development environment.
• Common env vars to consider adding: MCP_SERVER_URL (server endpoint), LLM_OPENAI_API_KEY, LLM_CLAUDE_API_KEY, LLM_GEMINI_API_KEY, EXT_BUILD_MODE (used during development vs production).