Public audit · 2026-04-24

modelcontextprotocol/inspector

Overall: F (0/100) · v0.2 scan · 6 axes · LLM prompt-injection probe

SkillAudit report — modelcontextprotocol/inspector

Scanned 2026-04-23 by SkillAudit v0.2 (static checks + LLM-assisted prompt-injection red-team).

Commit: adfcccc · Stars: 9541 · Days since last push: 1

LLM prompt-injection probe: no-tool-surface

Overall grade: F (0/100)

Axis	Score	Grade
security	0/100	F	❌
permissions	100/100	A	✅
credentials	100/100	A	✅
maintenance	90/100	A	✅
compatibility	100/100	A	✅
docs	90/100	A	✅

Security findings

Production sources:

HIGH cli/scripts/make-executable.js:15 — child_process.exec with template-string interpolation — argv is concat-built, not escaped

execSync(\chmod +x "${TARGET_FILE}"\);

HIGH cli/scripts/make-executable.js:15 — child_process.exec with string concatenation — argv is concat-built, not escaped

execSync(\chmod +x "${TARGET_FILE}"\);

HIGH client/src/App.tsx:709 — Template-string URL with interpolation — no validation possible on composed string

fetch(\${getMCPProxyAddress(config)}/config\, { headers })

WARN client/src/lib/hooks/useConnection.ts:371 — HTTP client call with user-controlled argument 'proxyHealthUrl' (validation markers present but not verified against this call-site)

const proxyHealthResponse = await fetch(proxyHealthUrl, { headers });

WARN client/src/lib/hooks/useConnection.ts:587 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response = await fetch(url, {

WARN client/src/lib/hooks/useConnection.ts:612 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response = await fetch(url, {

WARN client/src/lib/hooks/useConnection.ts:668 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

fetch(url, {

WARN client/src/lib/hooks/useConnection.ts:699 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

fetch(url, {

WARN client/src/lib/hooks/useConnection.ts:721 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

fetch(url, {

HIGH client/src/lib/proxyFetch.ts:115 — Template-string URL with interpolation — no validation possible on composed string

const proxyResponse = await fetch(\${proxyAddress}/fetch\, {

Test-site findings (lower weight): 8 total in test/ paths — first 3 shown

HIGH client/src/__tests__/proxyFetchEndpoint.test.ts:25 — Template-string URL with interpolation — no validation possible on composed string

const res = await fetch(\${baseUrl}/health\);

HIGH client/src/__tests__/proxyFetchEndpoint.test.ts:85 — Template-string URL with interpolation — no validation possible on composed string

const res = await fetch(\${baseUrl}/fetch\, {

HIGH client/src/__tests__/proxyFetchEndpoint.test.ts:99 — Template-string URL with interpolation — no validation possible on composed string

const res = await fetch(\${baseUrl}/fetch\, {

Permissions

_No findings on this axis._

Credentials

_No findings on this axis._

Maintenance

Production sources:

WARN (meta) — 217 open issues — triage backlog

217 open

Compatibility

_No findings on this axis._

Documentation

Production sources:

WARN README — README has no install section

no install section

Methodology

SkillAudit v0.2 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the rubric at .

The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.

How to improve this grade

Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use execFile with argv arrays instead of exec with template strings; never pass untrusted strings to subprocess with shell=True.
Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g., <untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output.
Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.

_Report generated by skillaudit.dev_

Want your repo audited?

First 100 audits go to waitlist signups in order. The engine runs against public GitHub URLs today.

Join the waitlist →