tooltrust-scanner

ToolTrust Scanner

Scan MCP servers for prompt injection, data exfiltration, and privilege escalation before your AI agent blindly trusts them.

🚨 Supply-Chain Incident Coverage (March 2026) ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (axios@1.14.1, axios@0.30.4). For npm-backed MCP servers, ToolTrust now combines blacklist matches, lifecycle-script review, transitive lockfile recovery, and IOC matching such as plain-crypto-js to surface suspicious releases earlier.

Live UI

• Browse the public directory: https://www.tooltrust.dev/
• Look up historical grades for popular MCP servers
• Review findings in a browser before installing or trusting a server

What it looks like

Scan Summary: 14 tools scanned | 13 allowed | 1 need approval | 0 blocked
Tool Grades: A×13  C×1
Findings by Severity: HIGH×1  MEDIUM×14  LOW×1 (16 total)

Flagged Tools:
• search_files  🟡 GRADE C  needs approval
  [AS-002] High: Network access declared
  [AS-011] Low: Missing rate-limit or timeout
  Action now: Keep this tool on manual approval until the risky capabilities are reviewed.

🤖 Let your AI agent scan its own tools

Add ToolTrust as an MCP server in your .mcp.json and your agent can audit every tool it has access to:

Note: First run downloads a ~10MB Go binary from GitHub Releases. Subsequent runs use the cached binary.

{
  "mcpServers": {
    "tooltrust": {
      "command": "npx",
      "args": ["-y", "tooltrust-mcp"]
    }
  }
}

Then ask your agent to run:

• tooltrust_scan_config to scan all configured MCP servers
• tooltrust_scan_server to scan one specific server
• Full MCP tool list: Usage guide

🔍 What it catches

• Prompt injection and tool poisoning hidden in descriptions
• Excessive permissions such as exec, network, db, and fs
• Supply-chain CVEs and known compromised package versions
• Suspicious npm lifecycle scripts that execute during install
• Suspicious npm IOC dependencies and indicators such as plain-crypto-js, reviewed install-script patterns, malicious domains, and URLs referenced from published package metadata
• Dependency visibility gaps when an MCP server does not expose enough metadata for supply-chain analysis
• Privilege escalation and arbitrary code execution patterns
• Typosquatting, tool shadowing, and insecure secret handling
• Missing rate-limit, timeout, or retry configuration on risky tools

ToolTrust now labels supply-chain coverage in scan output:

• No dependency data
• Declared by MCP metadata
• Verified from local lockfile
• Verified from remote lockfile
• Repo URL available

For live local scans, ToolTrust will also best-effort inspect common dependency artifacts when it can infer a project root from the launch command:

• package-lock.json / npm-shrinkwrap.json
• pnpm-lock.yaml
• yarn.lock
• go.sum
• requirements.txt

For remote GitHub repos exposed via repo_url, ToolTrust also inspects common lockfiles for transitive dependency evidence:

• package-lock.json
• pnpm-lock.yaml
• yarn.lock
• go.sum
• requirements.txt

Recent incident coverage includes:

• LiteLLM 1.82.7 / 1.82.8 and related TeamPCP compromise indicators
• Axios 1.14.1 / 0.30.4 malicious npm publish
• npm metadata IOC detection for helper packages such as plain-crypto-js

Full rule catalog: docs/RULES.md · tooltrust.dev

Threat-intel and IOC promotion flow: docs/IOC_PIPELINE.md Scanner scope guardrails: docs/SCANNER_SCOPE.md

More ways to use ToolTrust

• CLI install, examples, and flags: Usage guide
• Scan-before-install workflow: Gate docs
• CI / GitHub Actions examples: CI integration
• Pre-commit / alias setup: Pre-hook integration

Usage guide · Developer guide · Contributing · Changelog · Security · License: MIT © 2026 AgentSafe-AI