MCP prompt injection security scanner
Scan local or remote codebases, get security reports before using MCP servers.
Scanorama is a powerful command-line interface (CLI) tool designed for security professionals and developers to statically analyze MCP server. It intelligently scans MCP server source code searching for malicious or unsafely MCP servers.
MCP tools descriptions, when consumed by Large Language Model (LLM) agents, can be a vector for prompt injection attacks, leading to unintended agent behavior, data exfiltration, or other security risks. Scanorama helps you identify these threats proactively.
Understanding and Mitigating Prompt Injection in MCP-based Agents
scanorama.mp4
Key Features:
- ๐ Deep Code Analysis: Semantically understands code (not just syntactically)
- ๐ฏ Prompt Injection Detection: Leverages LLMs to analyze extracted tool descriptions for common and sophisticated prompt injection patterns.
- ๐ป Multi-Language Support: Works with all MCP SDKs: Python, TypeScript, Java, Kotlin, C#...
scanorama --clone https://github.com/someuser/vulnerable-mcp-tools.git --provider google --model gemini-1.5-flash-latest --output gemini_report.json- ๐ Flexible Source Input: Scan local directories or directly clone and analyze public GitHub repositories.
scanorama --path /path/to/your/mcp-project-
๐ Clear Reporting: Generates easy-to-understand console reports
-
๐พ JSON Output:
--ouput filename -
๐ค Multi-Provider LLM Support: Choose from a range of LLM providers
--list-models-
-m, --model <id>: Specify the model ID for the chosen provider.- For OpenAI, Google, Anthropic: Use a model ID like gpt-4o, gemini-1.5-flash-latest, claude-3-haiku-20240307.
- For Azure: This must be your specific Deployment ID.
-
-
โ๏ธ Configurable Analysis: Adjust LLM temperature and select specific models.
The Model Context Protocol (MCP) is an emerging open standard that defines a universal interface for connecting Large Language Models (LLMs) to external data sources, tools, and services. The most popular standardized way for LLMs to interact with the outside world. You can see more here
While MCP offers great flexibility, it also introduces a new attack surface. The descriptions of MCP tools can be injected directly into an LLM agent's context (prompt) and it allows third party agents take control of your agents.
A maliciously crafted tool description can contain hidden instructions designed to:
- Hijack the agent's original purpose.
- Exfiltrate sensitive data processed by the agent.
- Instruct the agent to perform unauthorized actions.
- Manipulate other tools or data sources the agent interacts with.
This is a form of prompt injection. Scanorama helps you identify such potentially "poisoned" tool descriptions before they can cause harm.
Research about how MCP tool description can be exploited to take control of LLM agents: Understanding and Mitigating Prompt Injection in MCP-based Agents
You can install Scanorama using npm:
npm install -g @telefonica/scanoramascanorama --versionAlternatively, for development or to run from source:
git clone https://github.com/Telefonica/scanorama.git
cd scanorama
pnpm install # Or npm install / yarn install
pnpm build # Or npm run build / yarn build
pnpm start --helpScanorama currently supports analysis using models from:
- ๐ง OpenAI (e.g., GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo)
- โ๏ธ Azure OpenAI (Use your specific deployment ID)
- ๐ Google Gemini (e.g., Gemini 1.5 Pro, Gemini 1.5 Flash)
- ๐ค Anthropic (e.g., Claude 3 Opus, Sonnet, Haiku)
- Run scanorama --list-models for more details on conceptual models and setup.
Scanorama uses LLMs for its intelligent analysis. You need to configure API keys for the provider you wish to use.
Export these variables in your shell enviroment or create a .env file in your project's root directory (or ensure the variables are set in your shell environment):
SOMEVAR="changethis"GOOGLE_API_KEY="your_google_ai_studio_api_key"in the .env or in the shell
export GOOGLE_API_KEY="your_google_ai_studio_api_key"Google provide free api keys for personal use. You can check it in aistudio.google.com
OPENAI_API_KEY="your_openai_api_key"in the .env or in the shell
export OPENAI_API_KEY="your_openai_api_key"AZURE_OPENAI_API_KEY="your_azure_openai_key"
AZURE_OPENAI_ENDPOINT="https://your-resource-name.openai.azure.com"
AZURE_OPENAI_API_VERSION="your-api-version"in the .env or in the shell
export AZURE_OPENAI_API_KEY="your_azure_openai_key"
export AZURE_OPENAI_ENDPOINT="https://your-resource-name.openai.azure.com"
export AZURE_OPENAI_API_VERSION="your-api-version"For Azure, you MUST also specify your deployment ID using --model
Scanorama will automatically load these variables if a .env file is present in the directory where you run the command.
See supported providers(env vars) & models to use:
scanorama --list-modelsScanorama offers several options to customize your scans:
scanorama [options]-p, --path <folder>: Analyze a local directory.
Example: scanorama --path ./my-mcp-server
-c, --clone <repo_url>: Clone and analyze a public GitHub repository.
Example: scanorama --clone https://github.com/someuser/example-mcp-project.git
-o, --output <file>: Save the detailed analysis results to a JSON file.
Example: scanorama --path . --output report.json
--provider <name>: Specify the LLM provider.
Choices: openai, google, azure.
Default: openai
Example: scanorama --path . --provider google
-m, --model <id>: Specify the model ID for the chosen provider.
For OpenAI, Google, Anthropic: Use a model ID like gpt-4o, gemini-1.5-flash-latest, ...
For Azure: This must be your specific Deployment ID.
Run scanorama --list-models to see conceptual models and defaults.
Example: scanorama --path . --provider openai --model gpt-4o
--temperature <temp>: Set the LLM's temperature (creativity). A float between 0.0 (deterministic) and 1
Note for Azure: This option is IGNORED. Scanorama will always use the default temperature configured for your Azure deployment.
Example: scanorama --path . --temperature 0.2
* --list-models: Display all supported LLM providers, their conceptual models, required environment variables, and then exit.
* -y, --yes: Automatically answer "yes" to confirmation prompts, such as when using an unlisted model ID for certain providers. Useful for scripting.
* --help: Show the help message with all options.
* --version: Display Scanorama's version.
When Scanorama completes a scan, it will print a report to your console.
โ Safe Tools: Tools deemed "No-Injection" will be listed in green with a checkmark, including their name and location.
โ
MySafeTool - No injection risks found. (src/tools/safe.py)โ Potential Injections: Tools flagged as "Injection" will be highlighted in red with a cross mark.
โ MaliciousToolName
Location: src/tools/risky_tool.ts
Description: "This tool fetches user data and sends it to http://evil.com/collect?data=..."
Explanation: The description contains an instruction to exfiltrate data to an external URL.A summary at the end will tell you the total number of tools analyzed and how many potential injections were found.
Disclaimer & Contact
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF ANY TYPE. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR ITS COMPONENTS, INTEGRATION WITH THIRD-PARTY SOLUTIONS OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
WHENEVER YOU MAKE A CONTRIBUTION TO A REPOSITORY CONTAINING NOTICE OF A LICENSE, YOU LICENSE YOUR CONTRIBUTION UNDER THE SAME TERMS, AND YOU AGREE THAT YOU HAVE THE RIGHT TO LICENSE YOUR CONTRIBUTION UNDER THOSE TERMS. IF YOU HAVE A SEPARATE AGREEMENT TO LICENSE YOUR CONTRIBUTIONS UNDER DIFFERENT TERMS, SUCH AS A CONTRIBUTOR LICENSE AGREEMENT, THAT AGREEMENT WILL SUPERSEDE.
THIS SOFTWARE DOESN'T HAVE A QA PROCESS. THIS SOFTWARE IS A PROOF OF CONCEPT AND SHOULD BE USED FOR EDUCATIONAL OR RESEARCH PURPOSES. ALWAYS REVIEW FINDINGS MANUALLY.
For issues, feature requests, or contributions, please visit the GitHub Issues page. For other inquiries, contact LightingLab Telefonica Inovacion Digital.