Scan MCP Servers
for Vulnerabilities
Vigile checks MCP servers for tool poisoning, data exfiltration, permission abuse, and obfuscation — before they reach your machine. Free trust scores for every server in the ecosystem.
Free. No account required. 200+ detection checks across the Vigile engine.
Install
Three ways to scan MCP servers
CLI Scanner
npx vigile-scan --allScans all MCP server configs on your machine. Finds Claude Desktop, Claude Code, Cursor, Windsurf, VS Code, and OpenClaw configurations automatically.
MCP Server
npx vigile-mcpAdd Vigile as an MCP server in Claude Code or Cursor. Query trust scores and scan servers directly from your AI agent.
Web Scanner
vigile.dev/scan-serverPaste a server name or URL into the web scanner for instant analysis. No install needed.
Detection
MCP-specific threat patterns
TP-001Tool Poisoning
Hidden instructions in tool descriptions that hijack agent behavior without user knowledge.
EX-003Data Exfiltration
Patterns targeting SSH keys, AWS credentials, .env files, and browser cookies.
PM-001Permission Abuse
Excessive filesystem, network, or code execution access beyond stated purpose.
OB-002Obfuscation
Base64 encoding, hex payloads, zero-width characters hiding malicious content.
Plus typosquatting detection and Sentinel runtime phone-home detection.
Trust Scores
Every MCP server gets a score
Vigile assigns a 0–100 trust score based on five weighted factors: code analysis (30%), dependency health (20%), permission safety (20%), behavioral stability (15%), and transparency (15%).
Search the trust registry →cursor-mcp
Trusted
web-scraper-mcp
Moderate
crypto-helper-mcp
Dangerous
For MCP Authors
Add a trust badge to your README
Show users your server is safe. The badge updates automatically when your trust score changes.
[](https://vigile.dev/server/your-server-name)Don't install MCP servers blind.
Scan before you install. Check trust scores. Monitor runtime behavior. Vigile is free for individual developers.