OxvaultOxvault

Every MCP server is untrusted code

You give MCP servers shell access, file access, and your credentials. We scanned 141 of them - 50% had critical vulnerabilities. Command injection in AWS. Live tokens in Cloudflare. Nobody checked before you installed.
Get Started FreeGet Pro

Scan before install. Block at runtime.

MCP servers touch your filesystem, your shell, your credentials. The scanner catches vulnerabilities in source code before you install. The gateway inspects every tool call and blocks attacks in real time.
  • Scan before install
    60+ detection rules analyze source code, tool descriptions, and credentials. 12/12 known MCP CVEs detected. Run it on any server before installing.
  • Protect at runtime
    The gateway proxies every JSON-RPC message between your AI agent and MCP servers. Shell injection, SSRF, and credential theft are blocked before they execute.
  • Full audit trail
    Every tool call, every argument, every response is logged. Know exactly what your MCP servers are doing - forwarded, blocked, or alerted.

Real vulnerabilities in production servers

Not hypothetical threat models. 135 confirmed critical findings from scanning 141 MCP servers in active use. 93% precision, near-zero false positives.
  • Command Injection
    Blocks shell metacharacters, execSync with user input, os.system() calls. Found in Cloudflare, AWS, Microsoft, Desktop Commander.
  • Credential Theft
    Detects hardcoded AWS keys, API tokens, private keys, Bearer tokens. Blocks policy violations targeting .ssh, .aws, .env files.
  • Tool Description Poisoning
    Catches hidden instruction tags, unicode steganography, BiDi overrides, secrecy instructions, and cross-tool exfiltration patterns.
  • SSRF & Path Traversal
    Blocks metadata IP access (169.254.169.254), RFC 1918 ranges, and ../ path sequences. Caught broken SSRF checks in Context7 and Klavis.
  • Rug Pull Detection
    Tool descriptions are SHA-256 hashed at startup. Any mid-session change is flagged immediately. No other scanner does this.
  • Response Leakage
    Scans server responses for AWS keys, GitHub PATs, private keys, JWTs, database connection strings. Alerts without blocking.

Get protected in 3 steps

Single binary, zero dependencies. Install and scan in 30 seconds.
    Scancurl -fsSL https://oxvault.dev/install.sh | sh && oxvault scan github:user/mcp-server — scans source code, tool descriptions, and credentials. Works with GitHub repos, npm packages, and local projects.
    Protectoxvault-gw wrap — one command wraps all your MCP clients. Claude Code, Cursor, VS Code, Windsurf. Every tool call inspected, injection blocked, credentials detected.
    Monitoroxvault-gw log --follow — live audit trail. Every forwarded, blocked, and alerted message recorded. Know exactly what your MCP servers are doing.

Choose your security level

The scanner is free and open source. The gateway adds runtime protection for developers who don't trust MCP servers.
Scanner
Open source. Free forever.
$0
forever
  • 60+ detection rules
  • 12/12 known MCP CVE detection
  • Source code SAST analysis
  • Credential and secret detection
  • Tool description poisoning detection
  • Hash pinning for rug pull detection
  • SARIF + JSON output
  • GitHub Action for CI/CD
Install Free
Pro
Runtime protection for developers.
$29
/monthBilled annually. $39/month if paid monthly.
  • Everything in Scanner
  • Gateway runtime proxy (stdio + HTTP/SSE)
  • Policy engine with custom rules
  • Rug-pull detection at runtime
  • Audit logging with viewer
  • SSRF-hardened HTTP proxy
  • Priority rule updates (48-hour CVE coverage)
  • Email support
Get Pro

141 servers scanned. Half had vulnerabilities.

135 confirmed critical findings across 37 servers. 93% precision -near-zero false positives. These are real vulnerabilities in production code.
Hardcoded Bearer token found in source code. Authorization header with live API key committed to the repository.

Cloudflare MCP

CRITICAL - mcp-hardcoded-bearer-token

exec() in sandbox runner with user-controlled input. os.system() and os.popen() calls. Unsafe pickle.load() deserialization.

AWS MCP (awslabs/mcp)

CRITICAL - 7 findings

startsWith() used to check for private IPs - ineffective on full URLs. SSRF bypass allows access to internal services.

Context7 (upstash/context7)

CRITICAL - mcp-ssrf-broken-check

execSync with template literal interpolation - npm install ${packageName}. Direct command injection vector.

Microsoft MCP

CRITICAL - mcp-cmd-injection

6 command injection patterns via execSync with string concatenation across build scripts and system info collection.

Desktop Commander

CRITICAL - 6 findings

17 findings including command injection in Oracle thick mode setup and hardcoded AWS access keys in test shipping labels.

Activepieces

CRITICAL - 17 findings

Frequently asked questions

Common questions about Oxvault, MCP security, and how the scanner and gateway work.

Your MCP servers haven't been audited.

50% of servers we scanned had critical vulnerabilities. The scanner is free. Find out in 30 seconds.
Get Started FreeView on GitHub