mcp-security-scanner
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseMCP Security Scanner Skill
MCP安全扫描器Skill
This skill enables agents to audit MCP servers for security issues. Use when user wants to scan for unprotected MCP endpoints.
本技能允许Agent审计MCP服务器的安全问题。当用户想要扫描未受保护的MCP端点时使用。
When to Use
使用场景
- User asks to "scan for MCP servers"
- User wants to "audit MCP security"
- User asks to "check if MCP servers are protected"
- User mentions "unprotected" or "exposed" MCP servers
- 用户要求“扫描MCP服务器”
- 用户想要“审计MCP安全性”
- 用户询问“检查MCP服务器是否受保护”
- 用户提到“未受保护”或“暴露的”MCP服务器
Prerequisites
前提条件
Package Dependency
包依赖
Uses npm package.
@contextware/mcp-scanInstallation:
bash
npm install -g @contextware/mcp-scanOr run directly:
bash
npx @contextware/mcp-scan <command>使用 npm包。
@contextware/mcp-scan安装:
bash
npm install -g @contextware/mcp-scan或直接运行:
bash
npx @contextware/mcp-scan <command>Runtime
运行环境
- Node.js 18+
- Network access (for network scanning)
- Read access to config directories
- Node.js 18+
- 网络访问权限(用于网络扫描)
- 配置目录的读取权限
Workflow
工作流程
Phase 1: Assess Request
阶段1:评估请求
Clarify:
- What to scan - localhost, local network, or specific targets?
- Scope - network scan, config scan, or both?
- Purpose - security audit, troubleshooting, or general discovery?
- Very important - do not go into a loop calling this scanning tool. Never. And explain to the user that its not recommended to do scanning in a never ending loop.
确认以下信息:
- 扫描目标 - 本地主机、本地网络,还是特定目标?
- 扫描范围 - 网络扫描、配置扫描,还是两者都要?
- 扫描目的 - 安全审计、故障排查,还是常规发现?
- 非常重要 - 不要循环调用此扫描工具。绝对不要。并向用户说明不建议进行无限循环扫描。
Phase 2: Execute Scans
阶段2:执行扫描
Network Scan:
bash
mcp-scan network <target>Targets: localhost, local, CIDR (e.g., 192.168.1.0/24), or IP/domain
Options: -p <ports>, -t <timeout>, --https
Config Scan:
bash
mcp-scan configsChecks: Claude Desktop, Cursor, Continue.dev, Windsurf, Zed configs
Full Scan:
bash
mcp-scan all <target>网络扫描:
bash
mcp-scan network <target>目标:localhost、local、CIDR(例如192.168.1.0/24),或IP/域名
选项:-p <端口>,-t <超时时间>,--https
配置扫描:
bash
mcp-scan configs检查范围:Claude Desktop、Cursor、Continue.dev、Windsurf、Zed的配置文件
全面扫描:
bash
mcp-scan all <target>Phase 3: Present Results
阶段3:呈现结果
- List servers with host, port, type, auth status
- Flag unprotected servers (requiresAuth: false)
- Provide remediation recommendations
- 列出服务器的主机、端口、类型、认证状态
- 标记未受保护的服务器(requiresAuth: false)
- 提供修复建议
Phase 4: Safety Review
阶段4:安全审查
Verify permission: Only scan networks you own or have explicit authorization.
Decline requests to scan unknown targets. Offer to scan owned systems instead.
权限验证: 仅扫描你拥有或已获得明确授权的网络。
拒绝请求:拒绝扫描未知目标的请求,改为提供扫描自有系统的服务。
Safety Guidelines
安全指南
What This Tool Does:
- Sends HTTP requests to detect MCP endpoints
- Reads local config files
- Reports authentication status
- Read-only (no modifications)
What This Tool Does NOT Do:
- Does not modify any files
- Does not execute commands from configs
- Does not send data to external servers
- Does not exploit vulnerabilities
本工具的功能:
- 发送HTTP请求以检测MCP端点
- 读取本地配置文件
- 报告认证状态
- 只读操作(不进行任何修改)
本工具不具备的功能:
- 不修改任何文件
- 不执行配置文件中的命令
- 不向外部服务器发送数据
- 不利用漏洞
Troubleshooting
故障排除
"mcp-scan: command not found"
-> Install: npm install -g @contextware/mcp-scan
"No servers found" but one is running
-> Try custom ports: -p 8080,9000
-> Or use --https flag
Scan times out
-> Increase timeout: -t 5000
“mcp-scan: command not found”
-> 解决方案:安装包:npm install -g @contextware/mcp-scan
“未找到服务器”但确实有服务器在运行
-> 尝试指定自定义端口:-p 8080,9000
-> 或使用--https标志
扫描超时
-> 增加超时时间:-t 5000