Powered by OWASP MCP Top 10

Is your MCP
setup safe?

Find out in 60 seconds. ShieldMCP scans your MCP configuration and flags permission risks, exposed secrets, and supply chain threats — before an attacker does.

82%of MCP configs

have at least one

critical flaw

Drop your MCP config file here

or click to browse

claude_desktop_config.json.cursor/mcp.jsonmcp-config.json

Don't know where your config is? View guide

How it works

Three steps to a safer MCP setup.

01

Upload config

Drop your file or paste JSON. Supports claude_desktop_config.json, .cursor/mcp.json, and more.

02

Instant scan

60-second check across all OWASP MCP Top 10 categories. No account needed.

03

Fix issues

Get exact config fixes in plain English. Unlock the full report for copy-paste JSON examples.

What we check

Full coverage of the OWASP MCP Top 10.

ID

Category

Description

MCP01

Token Mismanagement

Secrets & API keys in plaintext

MCP02

Tool Poisoning

Malicious or unverified MCP packages

MCP03

Command Injection

Shell execution & dangerous commands

MCP04

Excessive Permissions

Over-broad filesystem & API access

MCP05

Context Over-sharing

Too many sensitive sources connected

MCP06

Shadow Servers

Hidden or unverified server endpoints

MCP07

Audit Logging

Missing logs for agent actions

MCP08

Auth & Transport

Insecure connections & missing auth

MCP09

Supply Chain Risk

Unverified or unpinned packages

MCP10

Data Exfiltration

Read + write combos that leak data

Simple pricing

Start free. Unlock details when you need them.

Free

$0

Always free

Risk score
Category flags
Issue titles
Server ratings

MOST POPULAR

Full Report

$49one-time

Per scan report

Everything free +
Full fix steps
Config examples
Priority order
Shareable PDF

Pro

Coming soon

$19/month

For teams

Everything $49 +
Auto-rescan alerts
Scan history
Team configs (5)
Slack alerts

“82% of MCP configs scanned have at least one critical flaw”
— ShieldMCP scan data, 2025–2026

Recent MCP Security Incidents

Asana MCP flaw — ~1,000 orgs affected· June 2025

postmark-mcp malicious server — ~300 orgs· Sept 2025

82% of 2,614 MCP servers vulnerable to path traversal — Endor Labs· 2025