Skip to content

decoy-run/decoy-scan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
bin
bin
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.mjs
index.mjs
 
 
package.json
package.json
 
 

Repository files navigation

decoy-scan

Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers.

Scans Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, and Cline. Finds risky tools, detects tool poisoning, checks for vulnerable packages, and maps findings to the OWASP Agentic Top 10. No account required.

Quick Start

npx decoy-scan

No signup, no config, no dependencies.

What It Checks

Tool Risk Classification

Every tool exposed by your MCP servers is classified by name and description analysis:

  • Critical: execute_command, write_file, make_payment, modify_dns, delete_*, eval, spawn
  • High: read_file, http_request, database_query, access_credentials, send_email, install_package
  • Medium: list_dir, search, upload, download, git_*, browse, screenshot
  • Low: Everything else

Tool Poisoning Detection

Scans tool descriptions for hidden prompt injection — the attack vector behind OWASP ASI01 (Agent Goal Hijacking):

  • Instruction override attempts ("ignore previous instructions")
  • Behavior injection ("you must also call...")
  • Concealment patterns ("do not tell the user")
  • Cross-tool references (tool shadowing)
  • Role/conversation injection ([SYSTEM], assistant:)
  • Invisible Unicode characters
  • Excessively long descriptions (injection hiding)

Server Command Analysis

Checks if the MCP server spawn command itself is suspicious:

  • Running from /tmp or temp directories
  • Pipe-to-shell patterns (curl | sh)
  • Inline code execution (python -c, node -e)
  • Network tools as server commands (nc, socat)
  • Base64-encoded arguments
  • Potential npm typosquatting

Environment Variable Exposure

Flags when sensitive credentials are passed to MCP servers via env config:

  • API keys, tokens, secrets, passwords
  • Database connection strings
  • Cloud credentials (AWS, GCP)
  • Service credentials (Stripe, OpenAI, Anthropic, GitHub)

Supply Chain Advisories

Cross-references installed MCP servers against the Decoy advisory database — known vulnerabilities in 40+ MCP server packages and AI agent frameworks.

OWASP Agentic Top 10 Mapping

Every finding is mapped to the OWASP Top 10 for Agentic Applications (2026):

  • ASI01 — Agent Goal Hijacking (tool poisoning, prompt injection)
  • ASI02 — Unsafe Tool Use (critical/high-risk tools)
  • ASI03 — Supply Chain Risk (typosquatting, env exposure, vulnerable packages)
  • ASI05 — Cascading Failures (forced tool chaining)

Example Output

decoy-scan — MCP Supply Chain Security Scanner

  Found configs: Claude Desktop, Cursor, Claude Code
  Probing servers...

  ■ my-server  (Claude Desktop, Cursor)
    POISONING Tool description attempts to override agent instructions (execute_command)
    ENV       Passes api-key to server via env var "OPENAI_API_KEY"
    CRITICAL  execute_command
    HIGH      read_file
    + 3 low-risk tools

  ○ memory  (Claude Desktop)
    + 4 low-risk tools

  OWASP Agentic Top 10

  ASI01  Agent Goal Hijacking  (1 finding)
  ASI02  Unsafe Tool Use  (2 findings)
  ASI03  Supply Chain Risk  (1 finding)

  Summary
  2 servers scanned
  1 critical
  1 tool poisoning finding
  1 env exposure

  ✗ Issues found

Options

npx decoy-scan                  # Full scan with server probing
npx decoy-scan --no-probe       # Config-only (don't spawn servers)
npx decoy-scan --no-advisories  # Skip advisory database check
npx decoy-scan --verbose        # Show all tools including low-risk
npx decoy-scan --json           # JSON output
npx decoy-scan --sarif          # SARIF output (GitHub Security, VS Code)

Exit Codes

Code Meaning
0 No critical or high-risk issues
1 High-risk issues found
2 Critical issues or tool poisoning found

CI/CD Integration

SARIF output plugs directly into GitHub Code Scanning. All findings include OWASP tags for compliance filtering.

# .github/workflows/mcp-scan.yml
- name: Scan MCP servers
  run: npx decoy-scan --sarif > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Library

import { scan, toSarif, classifyTool, detectPoisoning, analyzeServerCommand } from 'decoy-scan';

const results = await scan();
console.log(results.summary);
// { total: 5, critical: 1, high: 2, ..., poisoned: 1, envExposures: 2 }

console.log(results.owasp);
// { ASI01: { name: "Agent Goal Hijacking", count: 1 }, ASI02: { ... } }

How It Compares

decoy-scan mcp-scan (Snyk) Cisco MCP Scanner
Language JavaScript Python Python
Dependencies 0 pip install pip install
Install npx decoy-scan pip install mcp-scan pip install mcp-scanner
Tool risk classification Name + description regex Prompt injection probes YARA + LLM-as-judge
Tool poisoning detection 37 patterns, 20 categories Yes (LLM-based) Yes (LLM-based)
Server command analysis Yes No No
Env exposure detection Yes No No
OWASP mapping Yes (ASI01-05) No No
Advisory database Yes (Decoy) No Yes (Cisco AI Defense)
SARIF output Yes No No
Hosts supported 8 3 3

Supported Hosts

  • Claude Desktop (macOS, Windows, Linux)
  • Cursor
  • Windsurf
  • VS Code
  • Claude Code (global + project .mcp.json)
  • Zed
  • Cline

Related

License

MIT

About

Security scanner for MCP server configurations. Finds risky tools, detects tool poisoning, and maps findings to OWASP Agentic Top 10. Zero dependencies.

Topics

cli security mcp scanner supply-chain owasp sarif ai-agent prompt-injection tool-poisoning

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages