Each MCP server is safe on its own. Together, they can do things you never authorized — and no individual server scanner catches it.
Real attack paths we detect
filesystem MCP
reads files from your Mac
fetch / web MCP
makes HTTP requests
Your SSH keys, .env files, source code — POSTed to an attacker
A hidden instruction in any webpage Claude visits tells it to read ~/.ssh/id_rsa and send it to attacker.com. Both servers are doing exactly what they're supposed to. The combination is the attack.
filesystem MCP
writes files anywhere
git MCP
runs git operations
Arbitrary shell commands executed on your machine
Claude writes a .gitattributes file with a filter that executes shell commands on checkout. Then uses the git MCP to trigger a git operation. Git's own filter mechanism runs the payload. Neither mcp-scan nor any individual server scanner catches this — it requires the combination.
filesystem / fetch MCP
reads external content
memory MCP
writes to AI persistent memory
Permanent backdoor in your AI's long-term memory
A malicious document or webpage injects a hidden instruction. Claude stores it in your AI memory server as a 'helpful reminder'. Every future Claude session starts poisoned — even months later, even in different contexts.
How it works
Upload your config
Paste or upload your claude_desktop_config.json
We map the graph
Every server pair is tested against 15 OWASP MCP risk rules
Share your seal
Get a shareable URL and README badge showing your config is checked
Find your config at ~/Library/Application Support/Claude/claude_desktop_config.json on Mac, or %APPDATA%\Claude\claude_desktop_config.json on Windows.
Takes about 30 seconds. We check every server combination against 15 OWASP MCP risk rules.
API keys and env vars are stripped before storage.