name: mcp-security-audit
description: Audits MCP server configurations for security issues across Claude Desktop, Cursor, VS Code, and 14 other AI clients. Finds unpinned versions, bare wrapper commands, plaintext secrets, overly broad permissions, and remote server exposure. Use when user asks to "audit my MCP servers", "check MCP security", "find risky MCP configs", "are any servers unpinned or exposed", or "is my setup secure".
metadata:
author: oktsec
version: 1.0.0
license: Apache-2.0

MCP Security Audit

Discover and audit every MCP server configured on this machine. Identify security risks before they become incidents.

Instructions

Step 1: Discover MCP configurations

Search for MCP server configurations in all known client locations:

Claude Desktop:
- macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- Linux: ~/.config/Claude/claude_desktop_config.json
- Windows: %APPDATA%\Claude\claude_desktop_config.json

Claude Code:
- ~/.claude.json (global)
- .claude/settings.json (project)
- .mcp.json (project)

Cursor:
- ~/.cursor/mcp.json (global)
- .cursor/mcp.json (project)

VS Code (Copilot):
- .vscode/mcp.json (project)
- VS Code settings: "mcp.servers" key

Windsurf:
- ~/.codeium/windsurf/mcp_config.json

Other clients: Cline (~/.cline/mcp_settings.json), Amp, Zed, Gemini CLI - check references/client-paths.md for the full list.

Read each config file found. Parse the mcpServers object. List every server with its transport type (stdio/sse/http), command, args, and env vars.

Step 2: Run security checks

For each discovered MCP server, evaluate these checks:

Critical:
- MCP-001: Server runs a bare command without arguments (e.g., "command": "analytics-mcp" with no args). May be a wrapper hiding the real binary. Verify with which <command> and file <path>.
- MCP-002: Server command uses npx or uvx without pinned version. Downloads latest from registry on every start - supply chain risk.
- MCP-003: Server URL points to non-localhost address. Remote MCP servers can intercept all tool calls.
- MCP-004: Server has env vars with keys/tokens passed in plaintext in the config file.

High:
- MCP-005: Server command is a shell script or batch file. Inspect the script for chained commands, downloads, or env manipulation.
- MCP-006: Server uses node or python directly with inline script arguments. Code can be injected via config modification.
- MCP-007: Server has write access to sensitive paths (home dir, .ssh, .aws, .config).
- MCP-008: Multiple clients configure the same server with different arguments or env vars. Inconsistency may indicate tampering.

Medium:
- MCP-009: Server binary is not in a standard system path (/usr/local/bin, /opt/homebrew/bin). Verify provenance.
- MCP-010: Server lacks any argument validation or scoping (no --allowed-dir, --read-only, etc.)
- MCP-011: Server config contains "autoApprove" or similar auto-grant patterns.

Info:
- MCP-012: Total count of discovered servers and clients.
- MCP-013: Servers that appear in multiple clients (cross-reference).

Step 3: Generate report

Output a structured report:

## MCP Security Audit Report

**Date:** [current date]
**Machine:** [hostname]
**Clients found:** [count]
**Servers found:** [count]

### Critical Findings
[List each finding with server name, client, check ID, description, and remediation]

### High Findings
[...]

### Medium Findings
[...]

### Summary
- [count] critical, [count] high, [count] medium, [count] info
- Grade: A (0 critical/high) | B (0 critical) | C (has critical) | F (has critical + exposed remote)

Step 4: Suggest remediations

For each finding, provide a specific fix:

• Bare command: Run 'which <cmd>' to verify, then 'file <path>' to check if it's a wrapper
• Unpinned npx: Pin version: "npx @company/[email protected]" instead of "npx @company/server"
• Remote URL: Move server to localhost or tunnel via SSH
• Plaintext secrets: Use env var reference instead of hardcoded value
• Write access: Add --allowed-dir flag scoped to project directory only

Examples

Example 1: Basic audit

User says: "Check if my MCP setup is secure"

Actions:
1. Read config files from all known client paths
2. Parse each mcpServers entry
3. Run all 13 security checks
4. Generate graded report with remediations

Example 2: Specific client

User says: "Audit my Claude Desktop MCP servers"

Actions:
1. Read only Claude Desktop config
2. Run checks on those servers
3. Generate focused report

Common Issues

Config file not found

The client may not be installed, or the config may be in a non-standard location. Check if the client application exists before reporting "no config found".

Permission denied

Some config files may require elevated permissions. Note which files couldn't be read and suggest the user run with appropriate access.