tooltrust-mcp

tooltrust-mcp

Scans MCP servers for prompt injection, supply chain attacks, excessive permissions, and code execution risks. Includes an offline blacklist that catches known-compromised packages like LiteLLM 1.82.7/1.82.8 and Trivy with zero latency.

Category
Visit Server

README

ToolTrust Scanner

CI Security Go Report Card License: MIT

Scan MCP servers for prompt injection, data exfiltration, and privilege escalation before your AI agent blindly trusts them.

๐Ÿšจ Urgent Security Update (March 24, 2026) ToolTrust now detects and blocks the LiteLLM / TeamPCP supply chain exploit. If you are adding MCP servers that rely on litellm (v1.82.7/8), ToolTrust will trigger a CRITICAL Grade F warning and block installation to protect your SSH/AWS keys.

ToolTrust Scanner demo

๐Ÿค– Let your AI agent scan its own tools

Add ToolTrust as an MCP server in your .mcp.json and your agent can audit every tool it has access to:

{
  "mcpServers": {
    "tooltrust": {
      "command": "npx",
      "args": ["-y", "tooltrust-mcp"]
    }
  }
}

Then ask your agent to run tooltrust_scan_config โ€” it reads your MCP config and scans all servers in parallel.

Tool Description
tooltrust_scan_config Scan all servers in your .mcp.json or ~/.claude.json in parallel
tooltrust_scan_server Launch and scan a specific MCP server
tooltrust_scanner_scan Scan a JSON blob of tool definitions
tooltrust_lookup Look up a server's trust grade from the ToolTrust Directory
tooltrust_list_rules List all 12 security rules with IDs and descriptions

๐Ÿ’ป CLI

# Install
curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | bash

# Scan any MCP server
tooltrust-scanner scan --server "npx -y @modelcontextprotocol/server-filesystem /tmp"

# Scan-then-install: gate checks a server before adding it to your config
tooltrust-scanner gate @modelcontextprotocol/server-memory -- /tmp

<details> <summary>Other install methods</summary>

# Go install
go install github.com/AgentSafe-AI/tooltrust-scanner/cmd/tooltrust-scanner@latest

# Homebrew
brew install AgentSafe-AI/tap/tooltrust-scanner

# Specific version
curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | VERSION=vX.Y.Z bash

</details>

๐Ÿšช Gate: scan-before-install

tooltrust-scanner gate scans an MCP server before installing it. Grade A/B auto-installs, C/D prompts for confirmation, F blocks entirely.

# Scan and install if safe (writes .mcp.json)
tooltrust-scanner gate @modelcontextprotocol/server-memory -- /tmp

# Dry run โ€” scan only, don't install
tooltrust-scanner gate --dry-run @modelcontextprotocol/server-filesystem -- /tmp

# Block anything below grade B
tooltrust-scanner gate --block-on B @some/package

# Install to user config (~/.claude.json) instead of project
tooltrust-scanner gate --scope user @some/package

# Override the server name in config
tooltrust-scanner gate --name my-server @some/package

# Force install regardless of grade (with warning)
tooltrust-scanner gate --force @some/package
Flag Default Description
--name derived from package Server name in config
--dry-run false Scan only, don't install
--block-on F Minimum grade that blocks: F, D, C, B
--scope project project (.mcp.json) or user (~/.claude.json)
--force false Bypass grade check
--deep-scan false Enable AI-based semantic analysis
--rules-dir built-in Custom YAML rules directory

Exit codes: 0 = installed (or dry-run), 1 = blocked by policy, 2 = error.

๐Ÿ”— Pre-Hook Integration

Shell alias

Replace claude mcp add with tooltrust-scanner gate so every install is scanned first:

alias mcp-add='tooltrust-scanner gate'
# mcp-add @modelcontextprotocol/server-memory -- /tmp

Git pre-commit hook

If .mcp.json is checked into your repo, scan it on every commit:

# .git/hooks/pre-commit
#!/bin/sh
if git diff --cached --name-only | grep -q '\.mcp\.json'; then
  tooltrust-scanner scan --input .mcp.json --fail-on block || exit 1
fi

๐Ÿ” What it catches

ID Severity Detects
AS-001 Critical Prompt poisoning / injection in tool descriptions
AS-002 High/Low Excessive permissions (exec, network, db, fs)
AS-003 High Scope mismatch (name contradicts permissions)
AS-004 High/Crit Supply chain CVEs via OSV
AS-005 High Privilege escalation (admin scopes, sudo)
AS-006 Critical Arbitrary code execution
AS-007 Info Missing description or schema
AS-008 Critical Known-compromised package versions โ€” offline blacklist (TeamPCP/litellm, trivy, langflow) with zero latency
AS-009 Medium Typosquatting (edit-distance impersonation)
AS-010 Medium Insecure secret handling in params
AS-011 Low Missing rate-limits or timeouts
AS-013 High/Med Tool shadowing (duplicate name hijacking)

๐Ÿค GitHub Actions

- name: Audit MCP Server
  uses: AgentSafe-AI/tooltrust-scanner@main
  with:
    server: "npx -y @modelcontextprotocol/server-filesystem /tmp"
    fail-on: "approval"

Developer guide ยท Contributing ยท Changelog ยท Security ยท License: MIT ยฉ 2026 AgentSafe-AI

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured