Documentation
How ShieldMCP works
ShieldMCP scans your Model Context Protocol (MCP) configuration against the OWASP MCP Top 10 — the emerging security standard for AI agent integrations. Below is what each check looks for, why it matters, and how to fix it.
Quick start
- 1Find your MCP config file (see locations below).
- 2Drop the file or paste its JSON on the home page.
- 3Get an instant score across all 10 OWASP categories — free, no account.
- 4Unlock the full report ($49 one-time) for exact copy-paste fixes and a shareable PDF.
Where is my config file?
Claude Desktop (macOS)
~/Library/Application Support/Claude/claude_desktop_config.jsonClaude Desktop (Windows)
%APPDATA%\Claude\claude_desktop_config.jsonCursor
.cursor/mcp.json (in your project) or ~/.cursor/mcp.jsonWindsurf
~/.codeium/windsurf/mcp_config.jsonVS Code (Continue / others)
.vscode/mcp.json or your extension configYour config never leaves your browser unscanned — secrets are detected by pattern, and the free scan runs without an account.
The OWASP MCP Top 10
Every scan checks your configuration against all ten categories below.
MCP01
Token Mismanagement
- What it is
- API keys, secrets, and access tokens stored in plaintext inside your MCP config.
- Why it matters
- Config files are frequently committed to git, synced to cloud drives, and shared in screenshots. A leaked OpenAI, Anthropic, GitHub, AWS, or Stripe key can be drained or abused within minutes of exposure.
- What ShieldMCP checks
- ShieldMCP detects 15+ known token formats (sk-, sk-ant-, ghp_, AKIA, AIza, SG., and more) plus high-entropy strings that look like secrets.
- How to fix
- Move secrets to environment variables or a secrets manager. Reference them by name (e.g. ${OPENAI_API_KEY}) rather than hardcoding the value in the config file.
MCP02
Tool Poisoning
- What it is
- MCP servers loaded from unverified, local, or untrusted sources.
- Why it matters
- A malicious MCP server can inject hidden instructions into your agent, exfiltrate data, or execute arbitrary code. Local filesystem packages can be silently modified on disk without the config ever changing.
- What ShieldMCP checks
- ShieldMCP flags servers loaded from local filesystem paths, unscoped packages, and sources that cannot be audited against a registry.
- How to fix
- Always reference published, versioned npm packages from trusted publishers. Pin exact versions and review the source before connecting.
MCP03
Command Injection
- What it is
- Shell execution patterns and dangerous commands in server definitions.
- Why it matters
- If an MCP server runs shell commands built from untrusted input, an attacker (or a prompt-injected model) can execute arbitrary code on your machine.
- What ShieldMCP checks
- ShieldMCP inspects command and args for shell interpreters (bash -c, sh -c), pipe-to-shell patterns, and other injection-prone constructs.
- How to fix
- Avoid passing dynamic input to shell interpreters. Use parameterized, allowlisted commands and never build commands from model output.
MCP04
Excessive Permissions
- What it is
- Servers granted far more access than they need.
- Why it matters
- A filesystem server pointed at / or your home directory exposes SSH keys, credentials, and every file on the system to the agent. A database server with write access can destroy data.
- What ShieldMCP checks
- ShieldMCP flags filesystem roots (/ or home), database write access, and live payment keys (sk_live_) as critical over-permissioning.
- How to fix
- Apply least privilege. Scope filesystem servers to a single project directory. Use read-only credentials where writes are not required.
MCP05
Context Over-sharing
- What it is
- Too many sensitive data sources connected to one agent at once.
- Why it matters
- When email, calendar, files, and a database are all exposed simultaneously, a single prompt-injection attack can pivot across all of them — reading one, leaking through another.
- What ShieldMCP checks
- ShieldMCP evaluates the combination of connected sources and warns when sensitive sources are over-aggregated.
- How to fix
- Connect only the sources a given workflow needs. Split high-sensitivity tools into separate, purpose-scoped agent configs.
MCP06
Shadow MCP Servers
- What it is
- Hidden, duplicate, or unverified server endpoints.
- Why it matters
- Duplicate or unrecognized servers can shadow legitimate ones, intercepting tool calls or quietly adding capabilities you did not intend to grant.
- What ShieldMCP checks
- ShieldMCP detects duplicate package references and servers pointing at unverified or non-standard endpoints.
- How to fix
- Maintain a known-good inventory of your MCP servers. Remove duplicates and verify every endpoint you connect to.
MCP07
Audit Logging
- What it is
- No log trail for what the agent reads, writes, or executes.
- Why it matters
- Without logs there is no way to investigate a breach, prove compliance, or detect data exfiltration in progress. Destructive servers without logging are especially dangerous.
- What ShieldMCP checks
- ShieldMCP checks for log path / log level env vars and escalates to critical when a write-capable server has no audit trail.
- How to fix
- Set MCP_LOG_PATH (or the server equivalent) on every server. Log timestamp, tool, arguments, and result. Ship logs to a central, tamper-resistant store.
MCP08
Auth & Transport Security
- What it is
- Insecure connections and missing authentication.
- Why it matters
- HTTP-only transports and missing API keys let attackers intercept traffic or impersonate servers. Credentials sent in the clear can be captured on any shared network.
- What ShieldMCP checks
- ShieldMCP flags HTTP (non-TLS) transports and HTTP-based servers missing authentication.
- How to fix
- Always use HTTPS/TLS for remote servers. Require authentication on every networked MCP endpoint.
MCP09
Supply Chain Risk
- What it is
- Unpinned or unverified package dependencies.
- Why it matters
- An unpinned package can pull a malicious update at any time. Compromised dependencies are one of the most common real-world attack vectors.
- What ShieldMCP checks
- ShieldMCP flags packages without pinned versions and dependencies from unverified sources.
- How to fix
- Pin exact versions of every MCP package. Review changelogs before upgrading and prefer publishers with a strong security track record.
MCP10
Data Exfiltration Risk
- What it is
- Read-plus-write combinations that form a path for data to leave.
- Why it matters
- A filesystem reader combined with an email or HTTP sender creates a complete exfiltration path — read sensitive data here, send it out there. Attackers chain these automatically.
- What ShieldMCP checks
- ShieldMCP models source-to-sink combinations (e.g. filesystem + email) and flags configurations that enable exfiltration.
- How to fix
- Separate read sources from outbound sinks. If both are required, add strict audit logging and human approval for outbound actions.
How scoring works
Every scan starts at 100 and deducts points per issue found, capped per severity so one category can never sink the entire score:
Critical−20 eachmax −60
High−10 eachmax −30
Medium−5 eachmax −15
Low−2 eachmax −6
80–100
Low Risk
60–79
Medium Risk
40–59
High Risk
0–39
Critical Risk
Ready to check your setup?
Run a free scan in 60 seconds — no account required.
Run Free Scan