mcp-scan + OWASP MCP Top 10: One-Command Supply Chain Security Audit Across All MCP Clients
Invariant Labs' mcp-scan is a zero-dependency CLI tool that auto-discovers MCP server configs from Claude Desktop, Cursor, Claude Code, Gemini CLI, and Windsurf, then scans every installed server's tool descriptions for prompt injection payloads, tool poisoning (hidden instructions in description fields invisible in the UI), rug-pull mutations, and cross-origin privilege escalations. OWASP published the MCP Top 10 in February 2026—a structured taxonomy of 10 critical attack classes from token leakage to shadow servers—making it the authoritative security checklist for production MCP deployments. Running npx @invariantlabs/mcp-scan is a sub-minute audit that surfaces findings mapped to OWASP MCP categories.
↳ Follow the thread