Bawbel Scanner

Name: Bawbel Scanner
Author: bawbel

bawbel/scanner

Scan MCP server manifests and skill files for AVE-class vulnerabilities before you wire them into Claude Code or ship to users.

Overview

Bawbel Scanner is a MCP server for the Ship phase that scans MCP servers and skill files for AVE vulnerabilities before production.

What is this MCP server?

Scans files or directories via stdio MCP with a configurable --path defaulting to the project root
Detects AVE vulnerabilities using a catalog of 45 AVE records and Bawbel threat intel API
Maps findings to OWASP MCP guidance for agent-tooling risk review
PyPI package bawbel-scanner runnable with uvx for fast local and CI scans
Targets both MCP server packages and standalone skill files in one pass
45 AVE records in publisher metadata
OWASP MCP mapping enabled
Threat intel API at https://api.piranha.bawbel.io

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Community signal: 7 GitHub stars.

What problem does it solve?

Solo builders paste MCP servers and skills into agents without a fast way to catch known AVE-style risks in those packages.

Who is it for?

Indie developers curating multiple MCP servers and SKILL.md files who want a lightweight gate before updating agent configs or publishing tooling.

Skip if: Teams that only need application code SAST/DAST and do not install external MCP or skill packages.

What do I get? / Deliverables

You get structured vulnerability signals mapped to threat intel and OWASP MCP so you can block or fix risky integrations before they reach production agents.

AVE-oriented findings for scanned MCP and skill paths
OWASP MCP-aligned context for triage decisions
Repeatable pre-ship scan you can script in CI

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Security scanning belongs on the Ship phase shelf because the README positions it explicitly before production deployment of MCP and skill assets. Subphase security is the canonical fit for vulnerability detection, OWASP MCP mapping, and DevSecOps-style pre-release gates.

How it compares

MCP-hosted supply-chain scanner, not an in-editor agent skill or generic cloud posture product.

Common Questions / FAQ

Who is Bawbel Scanner for?

It is for solo and small-team builders who install MCP servers and skills from registries and need a quick AVE-focused check before trusting them in Claude Code or similar agents.

When should I use Bawbel Scanner?

Use it when you add or upgrade an MCP server, vendor a skill file, or prepare a release where agent tooling touches production credentials or user data.

How do I add Bawbel Scanner to my agent?

Register the stdio MCP server from PyPI as bawbel-scanner (uvx runtime hint), pass --path to the file or directory to scan, and invoke scan tools from your MCP-capable client.

Bawbel Scanner

bawbel/scanner

Scan MCP server manifests and skill files for AVE-class vulnerabilities before you wire them into Claude Code or ship to users.

Overview

Bawbel Scanner is a MCP server for the Ship phase that scans MCP servers and skill files for AVE vulnerabilities before production.

What is this MCP server?

Scans files or directories via stdio MCP with a configurable --path defaulting to the project root
Detects AVE vulnerabilities using a catalog of 45 AVE records and Bawbel threat intel API
Maps findings to OWASP MCP guidance for agent-tooling risk review
PyPI package bawbel-scanner runnable with uvx for fast local and CI scans
Targets both MCP server packages and standalone skill files in one pass
45 AVE records in publisher metadata
OWASP MCP mapping enabled
Threat intel API at https://api.piranha.bawbel.io

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Community signal: 7 GitHub stars.

What problem does it solve?

Solo builders paste MCP servers and skills into agents without a fast way to catch known AVE-style risks in those packages.

Who is it for?

Indie developers curating multiple MCP servers and SKILL.md files who want a lightweight gate before updating agent configs or publishing tooling.

Skip if: Teams that only need application code SAST/DAST and do not install external MCP or skill packages.

What do I get? / Deliverables

You get structured vulnerability signals mapped to threat intel and OWASP MCP so you can block or fix risky integrations before they reach production agents.

AVE-oriented findings for scanned MCP and skill paths
OWASP MCP-aligned context for triage decisions
Repeatable pre-ship scan you can script in CI

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

MCP-hosted supply-chain scanner, not an in-editor agent skill or generic cloud posture product.

Common Questions / FAQ

Who is Bawbel Scanner for?

It is for solo and small-team builders who install MCP servers and skills from registries and need a quick AVE-focused check before trusting them in Claude Code or similar agents.

When should I use Bawbel Scanner?

Use it when you add or upgrade an MCP server, vendor a skill file, or prepare a release where agent tooling touches production credentials or user data.

How do I add Bawbel Scanner to my agent?

Register the stdio MCP server from PyPI as bawbel-scanner (uvx runtime hint), pass --path to the file or directory to scan, and invoke scan tools from your MCP-capable client.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is Bawbel Scanner for?

When should I use Bawbel Scanner?

How do I add Bawbel Scanner to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is Bawbel Scanner for?

When should I use Bawbel Scanner?

How do I add Bawbel Scanner to my agent?