Scan an exposed MCP server before the agents do.
Trend Micro's April 2026 sweep found
492 MCP servers reachable on the open internet with no
authentication and no controls, plus 1,184 malicious skills in
one MCP marketplace. AI agents talking to these servers inherit whatever
authority the server exposes — exec_command reachable from any
browser tab is RCE-as-a-feature.
What this is — and isn't
What it does
- POSTs the MCP
initializehandshake to the URL you give it. - Calls
tools/list,resources/list,prompts/list— read-only. - Applies a small ruleset to flag dangerous tool names, missing schemas, sensitive resource paths, plaintext transport, permissive CORS, and the headline finding: no auth required.
- Returns a structured report. JSON is available for piping into CI; markdown is the human-readable view.
What it isn't
- Not an attack tool. Tool calls are never made. Calling
exec_commandto prove it executes is a deliberate non-feature. - Not a comprehensive audit. False positives are likely (a tool named
query_inventorytrips the SQL pattern). The report exists to get a human to read four or five tool descriptions. - Not stored. URLs and findings are not persisted. Each scan is ephemeral.
Rules applied
| ID | Severity | Trigger |
|---|---|---|
NO_AUTH_REQUIRED | HIGH | initialize succeeds with zero auth headers |
DANGEROUS_TOOL | HIGH | Tool name/description matches command / SQL / filesystem / SSRF / credential patterns |
SENSITIVE_RESOURCE_EXPOSED | HIGH | Resource URI looks like /etc/passwd, .env, .ssh/, .aws/credentials, etc. |
PLAINTEXT_TRANSPORT | MEDIUM | Non-loopback http:// URL |
PERMISSIVE_CORS | MEDIUM | Access-Control-Allow-Origin: * |
TOOL_MISSING_SCHEMA | MEDIUM | Tool advertised with no inputSchema |
TOOL_SCHEMA_OPEN | LOW | Tool object schema doesn't set additionalProperties: false |
TOOL_LOOSE_STRING_FIELDS | LOW | Privileged tool has unconstrained string fields |
SERVER_INFO_DISCLOSED | INFO | Server announces name / version |