MCP Server Security: How to Audit Tools Your AI Agent Uses
Before connecting an MCP server to your AI agent, you should audit it. How to check permissions, data exposure, transport security, and common red flags.
MCP servers give AI agents access to your data, services, and infrastructure. That's powerful — and risky if you're not careful about which servers you connect. Before adding any MCP server to your workflow, here's how to audit it.
Quick Answer: To audit MCP server security, check the source, review permission scope, audit data flow, read the code, and test the server in isolation. Additionally, look for red flags like excessive permissions or sending data to unrelated domains.
Why MCP security matters
When you connect an MCP server, you're granting your AI agent access to whatever that server exposes. A database MCP server can read your production data. A GitHub server can access your private repos. A Slack server can read your team's messages. The agent uses these tools automatically based on context — you don't approve each individual call.
This means a compromised or poorly-built MCP server could expose sensitive data, make unauthorized changes, or leak information to unintended destinations.
Recommended skills
sast-configuration
by LocoLoboZ · 3
Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-s…
production-agent-architect
by Roy Yuen
Architect, scaffold, and harden production-grade AI agents with battle-tested pa…
migration-auditor
by Samuel Rose
Catches dangerous database migrations before they hit production. Reviews schema…
The 5-point audit checklist
1. Check the source
Where did the server come from? Official servers maintained by the service provider (GitHub's own MCP server, Anthropic's reference servers) are generally safe. Community servers from unknown developers require more scrutiny.
Look at the GitHub repository. Check the contributor history, open issues, and how the maintainer responds to security reports. A server with one commit from an anonymous account is riskier than one with ongoing maintenance and a track record.
2. Review permissions scope
Every MCP server requests certain permissions or access. Read the documentation and check what the server actually needs:
- Read-only vs read-write. If you only need the agent to query data, don't give the server write access.
- Scope of access. A filesystem server that requests access to your entire home directory when it only needs one project folder is over-permissioned.
- API key permissions. When the server requires an API key, create one with the minimum necessary permissions. Don't reuse your admin API key.
3. Audit data flow
Understand where your data goes when the server processes a request:
- Stdio servers run locally. Your data stays on your machine. These are inherently safer from a data exposure perspective.
- HTTP/SSE servers send data over the network. Ensure the connection uses HTTPS. Check if the server logs requests or sends telemetry.
- Third-party hosted servers route your data through someone else's infrastructure. Understand their data handling policies before connecting.
4. Read the code
For open-source MCP servers, read the source code before installing. It sounds tedious, but most MCP servers are small — typically a few hundred lines. Look for:
- Hardcoded URLs or endpoints that data might be sent to
- Logging that captures sensitive information
- Dependencies that seem unnecessary for the server's purpose
- Any code that modifies files outside its stated scope
5. Test in isolation
Before connecting a new server to your main development environment, test it on a throwaway project. Run it against non-sensitive data and monitor its behavior:
# Monitor network activity while the server runs
sudo tcpdump -i any -n port 443 &
# Start your agent with only the new server
claude --mcp-config test-config.json
Watch for unexpected network connections or file system access.
Red flags to watch for
- Server requests more permissions than its purpose requires
- No source code available for inspection
- Server sends data to domains unrelated to its stated function
- Unmaintained project with known open security issues
- Dependencies with known vulnerabilities
Using curated registries
One way to reduce risk is using MCP servers from curated registries that perform security reviews. Agensi runs an automated 8-point security scan on all listed MCP servers and skills, checking for common issues like excessive permissions, suspicious dependencies, and data exposure risks. This doesn't replace your own review, but it catches the most common problems.
Ongoing security
Security isn't a one-time check. MCP servers update, dependencies change, and new vulnerabilities are discovered. Periodically review your connected servers, update them to the latest versions, and remove any you're no longer using. Every connected server is attack surface — keep it minimal.
Frequently Asked Questions
Skills you might need
AGENTS.md & Agent-Config Quality Gate — Catch Ambiguous Rules, Conflicts & Missing Guardrails Before You Ship
$12An adversarial reviewer for AGENTS.md and agent instruction files. It flags ambi…
GDPR Compliance Scanner for Marketing and Code
$15Automatically detect GDPR compliance risks in websites, codebases, marketing ass…
skill-license-fingerprinter
$119Protect your IP by embedding invisible, redundant buyer fingerprints and license…
Related Articles
AI Agent Security: How to Audit Skills and MCP Servers Before Installing (2026)
Before installing any skill or connecting an MCP server, audit it for prompt injection, data exfiltration, and dangerous commands. Includes a manual checklist and how automated scanning works.
8 min read
n8n MCP Server: Automate Workflows with Your AI Agent (2026)
Set up the n8n MCP server to let your AI agent create, modify, and trigger workflow automations through the Model Contex
4 min read