README
¶
ToolTrust Scanner
Scan MCP servers for prompt injection, data exfiltration, and privilege escalation before your AI agent blindly trusts them.
🤖 Let your AI agent scan its own tools
Add ToolTrust as an MCP server in your .mcp.json and your agent can audit every tool it has access to:
{
"mcpServers": {
"tooltrust": {
"command": "npx",
"args": ["-y", "tooltrust-mcp"]
}
}
}
Then ask your agent to run tooltrust_scan_config — it reads your MCP config and scans all servers in parallel.
| Tool | Description |
|---|---|
tooltrust_scan_config |
Scan all servers in your .mcp.json or ~/.claude.json in parallel |
tooltrust_scan_server |
Launch and scan a specific MCP server |
tooltrust_scanner_scan |
Scan a JSON blob of tool definitions |
tooltrust_lookup |
Look up a server's trust grade from the ToolTrust Directory |
tooltrust_list_rules |
List all 11 security rules with IDs and descriptions |
💻 CLI
# Install
curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | bash
# Scan any MCP server
tooltrust-scanner scan --server "npx -y @modelcontextprotocol/server-filesystem /tmp"
Other install methods
# Go install
go install github.com/AgentSafe-AI/tooltrust-scanner/cmd/tooltrust-scanner@latest
# Homebrew
brew install AgentSafe-AI/tap/tooltrust-scanner
# Specific version
curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | VERSION=vX.Y.Z bash
🔍 What it catches
| ID | Severity | Detects |
|---|---|---|
| AS-001 | Critical | Prompt poisoning / injection in tool descriptions |
| AS-002 | High/Low | Excessive permissions (exec, network, db, fs) |
| AS-003 | High | Scope mismatch (name contradicts permissions) |
| AS-004 | High/Crit | Supply chain CVEs via OSV |
| AS-005 | High | Privilege escalation (admin scopes, sudo) |
| AS-006 | Critical | Arbitrary code execution |
| AS-007 | Info | Missing description or schema |
| AS-009 | Medium | Typosquatting (edit-distance impersonation) |
| AS-010 | Medium | Insecure secret handling in params |
| AS-011 | Low | Missing rate-limits or timeouts |
| AS-013 | High/Med | Tool shadowing (duplicate name hijacking) |
🤝 GitHub Actions
- name: Audit MCP Server
uses: AgentSafe-AI/tooltrust-scanner@main
with:
server: "npx -y @modelcontextprotocol/server-filesystem /tmp"
fail-on: "approval"
Developer guide · Contributing · Changelog · Security · License: MIT © 2026 AgentSafe-AI
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
tooltrust-mcp
command
Package main provides the ToolTrust Scanner MCP Server — the meta-scanner.
|
Package main provides the ToolTrust Scanner MCP Server — the meta-scanner. |
|
tooltrust-scanner
command
|
|
|
internal
|
|
|
pkg
|
|
|
adapter
Package adapter defines the protocol-agnostic Adapter interface and the registry used to select the correct adapter at runtime.
|
Package adapter defines the protocol-agnostic Adapter interface and the registry used to select the correct adapter at runtime. |
|
adapter/mcp
Package mcp provides an Adapter that parses MCP tools/list responses.
|
Package mcp provides an Adapter that parses MCP tools/list responses. |
|
adapter/openai
Package openai provides an Adapter for the OpenAI Function Calling format.
|
Package openai provides an Adapter for the OpenAI Function Calling format. |
|
adapter/skills
Package skills provides an Adapter for Markdown-based AI Skills format.
|
Package skills provides an Adapter for Markdown-based AI Skills format. |
|
analyzer
Package analyzer provides the scanning engine that runs a set of checkers over a UnifiedTool and produces a RiskScore.
|
Package analyzer provides the scanning engine that runs a set of checkers over a UnifiedTool and produces a RiskScore. |
|
gateway
Package gateway derives enforcement policies from analyzer RiskScore values.
|
Package gateway derives enforcement policies from analyzer RiskScore values. |
|
sandbox
Package sandbox defines the interface for executing tools in an isolated environment.
|
Package sandbox defines the interface for executing tools in an isolated environment. |
|
storage
Package storage persists ToolTrust Scanner results to a SQLite database.
|
Package storage persists ToolTrust Scanner results to a SQLite database. |
Click to show internal directories.
Click to hide internal directories.