We built the security scanner we wished we had
It started with a feeling every security engineer knows: watching something powerful emerge and realizing nobody's watching the door.
It started with a feeling every security engineer knows: watching something powerful emerge and realizing nobody's watching the door.
AI agents are extraordinary. They reason, they act, they call tools, they fetch resources, and they do it across a sprawling web of MCP servers that most teams barely understand. Over the past few months, we watched the incidents pile up: tool poisoning, prompt injection, and cross-server shadowing. The attacks weren't theoretical anymore.
So we did what you do when the tools don't exist yet. We built one.
Why We Built MCP Armor
We tried the scanners that were out there. Some were too noisy, flooding teams with findings that didn't matter. Others were blind to how agents actually behave, treating MCP servers like static configs instead of living, breathing attack surfaces.
The core problem is straightforward: MCP connects your AI agents to tools, resources, and prompts from servers you may not fully control. A poisoned tool description, a shadowed server, or a subtle prompt injection buried in a resource can turn your agent into an attack vector. And most teams don't discover this until something breaks in production.
We needed something that could automatically discover MCP configurations across your environment (like Cursor, Windsurf, VS Code, and Claude Desktop), connect to those servers, inventory every tool and resource, and then run real security analysis against patterns that actually matter.
What It Does
MCP Armor scans your MCP servers for the threats that keep us up at night:
- Prompt injection and indirect prompt injection: Catch malicious instructions hiding in tool descriptions, arguments, and resource content.
- Cross-server tool shadowing: Detect when one server's tools masquerade as another's.
- Tool poisoning: Identify command injection and prompt injection embedded in tool metadata.
- Rug pull detection: Baseline your approved MCP components and receive alerts when something changes underneath you.
- Hardcoded secrets: Find API keys or credentials exposed in MCP configurations or resources.
It runs entirely locally. Your code and configurations never leave your machine. The prompt injection model runs on-device via Hugging Face. No cloud calls, no telemetry, no trust required.
Reports come out as clean JSON or Markdown to provide actionable findings, not walls of noise. Setup takes under two minutes.
Who It's For
If you're building agents, integrating MCP servers, or responsible for the security of AI-powered workflows, this is for you. We designed it for the people on the front lines: agent developers who want to ship safely, and security engineers who need visibility into a surface area that didn't exist two years ago.
Try It
pip install mcp-armor
mcp-armor scan
That's it. Point it at your environment and see what it finds.
We're releasing MCP Armor as open source because we believe the community building with MCP deserves tools that match the pace of innovation. The threats are real, and waiting for enterprise procurement cycles isn't an option.
Give it a try. Break it. Tell us what's missing. Join our Slack community and help us make it better.
The agents are getting smarter. The security tooling should be too.
MCP Armor is built by Aira Security. For teams that need runtime enforcement, policy-based blocking, and full agentic security beyond MCP, see the Aira platform in action.