Mcp Security Audit
Scan `.mcp.json` server entries for secrets, shell injection, unpinned packages, and servers outside your approved list.
Overview
MCP Security Audit is an agent skill most often used in Ship (also Build) that reviews MCP server configurations in `.mcp.json` for secrets exposure, injection, and supply-chain risk.
Install
npx skills add https://github.com/github/awesome-copilot --skill mcp-security-auditWhat is this skill?
- Five-step per-server audit: secrets, shell injection, unpinned versions, dangerous commands, approved-list check
- Parses `.mcp.json` and walks each registered MCP server configuration
- Flags hardcoded credentials versus environment-variable usage
- Detects `@latest` and other unpinned dependency patterns in server args
- Produces a structured security report after all servers are checked
- Five security checks per MCP server in the documented audit pipeline
Adoption & trust: 711 installs on skills.sh; 34.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your agent’s `.mcp.json` might ship hardcoded secrets, unsafe shell patterns, or unpinned `@latest` servers—and you will not catch it until something breaks in prod.
Who is it for?
Builders registering MCP servers who need a fast, repeatable config review against secrets, injection, pinning, and allowlist rules.
Skip if: Teams without MCP configs or those needing full SAST/DAST of application code rather than MCP manifest governance.
When should I use this skill?
User asks to audit MCP servers, review `.mcp.json`, check for secrets or shell injection, validate pinned versions, or verify servers against an approved list.
What do I get? / Deliverables
You get a report listing per-server failures across the five audit checks so you can fix configs before agents run with those tools.
- Structured MCP security audit report
- Per-server findings for secrets, injection, pinning, and governance
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship security because the skill exists to block unsafe MCP configs before agents get production tool access. Subphase security fits governance of MCP args, env vars, and supply-chain pinning—not general app pentesting.
Where it fits
Run the audit on `.mcp.json` right before you tag a release that adds a new filesystem MCP server.
Validate args and env vars when wiring a GitHub or database MCP server during feature work.
Re-audit configs after rotating API keys to ensure nothing hardcoded slipped back into server definitions.
How it compares
Focused `.mcp.json` checker—not a generic OWASP web app scanner or runtime MCP traffic monitor.
Common Questions / FAQ
Who is mcp-security-audit for?
Solo developers and small teams exposing MCP tools to coding agents who want a structured pass over server args, env usage, and pinning before merge.
When should I use mcp-security-audit?
During Ship security reviews of `.mcp.json`, when onboarding a new MCP server in Build integrations, or after copying a template that registers unknown servers.
Is mcp-security-audit safe to install?
Check the Security Audits panel on this Prism page; the skill reads project config locally—validate it matches your data-handling policy before running in CI.
SKILL.md
READMESKILL.md - Mcp Security Audit
# MCP Security Audit Audit MCP server configurations for security issues — secrets exposure, shell injection, unpinned dependencies, and unapproved servers. ## Overview MCP servers give agents direct tool access to external systems. A misconfigured `.mcp.json` can expose credentials, allow shell injection, or connect to untrusted servers. This skill catches those issues before they reach production. ``` .mcp.json → Parse Servers → Check Each Server: 1. Secrets in args/env? 2. Shell injection patterns? 3. Unpinned versions (@latest)? 4. Dangerous commands (eval, bash -c)? 5. Server on approved list? → Generate Report ``` ## When to Use - Reviewing any `.mcp.json` file in a project - Onboarding a new MCP server to a project - Auditing all MCP servers in a monorepo or plugin marketplace - Pre-commit checks for MCP configuration changes - Security review of agent tool configurations --- ## Audit Check 1: Hardcoded Secrets Scan MCP server args and env values for hardcoded credentials. ```python import json import re from pathlib import Path SECRET_PATTERNS = [ (r'(?i)(api[_-]?key|token|secret|password|credential)\s*[:=]\s*["\'][^"\']{8,}', "Hardcoded secret"), (r'(?i)Bearer\s+[A-Za-z0-9\-._~+/]+=*', "Hardcoded bearer token"), (r'(?i)(ghp_|gho_|ghu_|ghs_|ghr_)[A-Za-z0-9]{30,}', "GitHub token"), (r'sk-[A-Za-z0-9]{20,}', "OpenAI API key"), (r'AKIA[0-9A-Z]{16}', "AWS access key"), (r'-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----', "Private key"), ] def check_secrets(mcp_config: dict) -> list[dict]: """Check for hardcoded secrets in MCP server configurations.""" findings = [] raw = json.dumps(mcp_config) for pattern, description in SECRET_PATTERNS: matches = re.findall(pattern, raw) if matches: findings.append({ "severity": "CRITICAL", "check": "hardcoded-secret", "message": f"{description} found in MCP configuration", "evidence": f"Pattern matched: {pattern}", "fix": "Use environment variable references: ${ENV_VAR_NAME}" }) return findings ``` **Good practice — use env var references:** ```json { "mcpServers": { "my-server": { "command": "node", "args": ["server.js"], "env": { "API_KEY": "${MY_API_KEY}", "DB_URL": "${DATABASE_URL}" } } } } ``` **Bad — hardcoded credentials:** ```json { "mcpServers": { "my-server": { "command": "node", "args": ["server.js", "--api-key", "sk-abc123realkey456"], "env": { "DB_URL": "postgresql://admin:password123@prod-db:5432/main" } } } } ``` --- ## Audit Check 2: Shell Injection Patterns Detect dangerous command patterns in MCP server args. ```python import json import re DANGEROUS_PATTERNS = [ (r'\$\(', "Command substitution $(...)"), (r'`[^`]+`', "Backtick command substitution"), (r';\s*\w', "Command chaining with semicolon"), (r'\|\s*\w', "Pipe to another command"), (r'&&\s*\w', "Command chaining with &&"), (r'\|\|\s*\w', "Command chaining with ||"), (r'(?i)eval\s', "eval usage"), (r'(?i)bash\s+-c\s', "bash -c execution"), (r'(?i)sh\s+-