2026-04-11 · 6 min read · mcp · security · checklist

How to Audit an MCP Server Before Installing It

Why you should audit

Installing an MCP server is installing code. That code runs inside the same process as your agent, has the same filesystem permissions, and reads any secret the agent reads. npx some-mcp-server is arbitrary-code execution in your environment. Treat it accordingly.

The 10-minute checklist

  1. Find the source. If the package doesn't link to a public GitHub repo, stop. Don't install it.
  2. Scan the author. How many prior projects? Any history of security incidents? Is the email real?
  3. Read package.json. Look at dependencies, scripts.postinstall, bin. Any weird binaries being downloaded at install time?
  4. Grep for exec, spawn, os.system. Tool handlers that shell out without parameterization = command injection risk.
  5. Grep for fs.readFile, fs.writeFile. Filesystem scope — does it resolve via path.resolve with allowlist check?
  6. Grep for fetch, axios, requests. URL fetching — private IP guards present?
  7. Check for inputSchema / zod. Every tool should validate its own payload before running.
  8. Check for secrets. Grep sk-, AKIA, ghp_, xox[bpars]-.
  9. Check for hardcoded shell: true. Red flag.
  10. Check dependency ages. npm outdated — multiple years-stale transitive deps = risk accumulation.

The 5-second automated path

Skip all of the above with:

npx mcpwatch-scanner /path/to/mcp

It runs all 10 checks from the OWASP MCP Top 10, produces a 0–100 score, and returns an A–F letter grade. Exits non-zero on grade F — perfect for CI.

Or drop the GitHub Action into your workflow and block any PR that regresses grade:

- uses: lazymac2x/mcpwatch-action@v1
  with:
    path: "."
    fail-on: "D"
    comment: "true"

What "grade A" actually means

A grade of A means the automated scanner didn't find any of the 10 known vulnerability patterns. It does not mean the MCP is provably safe — only that it passed the cheap checks. For high-stakes installs (filesystem access, shell execution, cloud API), still do a human code review.

A note on the false-positive rate

MCPWatch is heuristic, not a taint-analysis engine. It will flag genuine patterns (template-literal exec, raw fs paths) as well as some safe-in-context code. When in doubt, read the finding's evidence line and make a call.

Browse the live leaderboard for the current grade of every popular MCP server — updated daily.

📬 MCP Security Weekly

One email per week — new CVEs, scanner improvements, MCPWatch grade drops on popular servers. Free. Unsubscribe anytime.

Support the work: MCP Pro $29/mo · MCPWatch Pro Report $49 · more posts