Paste an MCP server's tools/list response. Same regex / scoring engine that ships with the VyriAI control plane. Detection runs entirely in your browser.
15 regex signatures for instruction hijacking, sensitive paths (~/.ssh, AWS, /etc), cross-tool invocation, exfiltration hints. Combination escalation: hijack + sensitive path → critical.
Zero-width / bidi-override / soft-hyphen unicode in descriptions. Long base64 blobs that decode to instruction-like content (ignore, system, .ssh, /bin/).
Levenshtein distance ≤ 2 against the trusted MCP package list. Catches @modlecontextprotocol/..., server-fs, etc. Drops integrity score from 9.0 to 2.0.
Hard-block on 0.0.0.0 / non-loopback bindings. STDIO is local-process only. Private LAN bindings escalate to high.
Same engine as the browser scanner. Zero dependencies. Runs locally — no data leaves your machine.
# Scan a local tools.json
npx @vyriai/mcp-scan ./tools.json
# Pipe from stdin with publisher source
echo '{"tools":[...]}' | npx @vyriai/mcp-scan \
--source npm:@modelcontextprotocol/server-filesystem
# CI — block merge on BLOCK verdict (exit code 2)
npx @vyriai/mcp-scan tools.json --source npm:$MCP_PACKAGE
# Machine-readable output for scripting
npx @vyriai/mcp-scan tools.json --json | jq '.decision'
# Self-test (verify engine on a clean machine)
npx @vyriai/mcp-scan --self-test
0 allow ·
1 warn ·
2 block
The scanner you just used is ~15% of what ships with VyriAI. The full control plane gates every MCP tools/call with the same policy engine that governs your LLM traffic, with a SHA-256 audit chain auditors can verify.