tooltrust-scanner

# ToolTrust Scanner

[![CI](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/ci.yml)
[![Security](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/security.yml/badge.svg)](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/security.yml)
[![GitHub stars](https://img.shields.io/github/stars/AgentSafe-AI/tooltrust-scanner?style=social)](https://github.com/AgentSafe-AI/tooltrust-scanner/stargazers)
[![Go Report Card](https://goreportcard.com/badge/github.com/AgentSafe-AI/tooltrust-scanner)](https://goreportcard.com/report/github.com/AgentSafe-AI/tooltrust-scanner)
[![tooltrust-scanner MCP server](https://glama.ai/mcp/servers/AgentSafe-AI/tooltrust-scanner/badges/score.svg)](https://glama.ai/mcp/servers/AgentSafe-AI/tooltrust-scanner)
[![npm](https://img.shields.io/npm/v/tooltrust-mcp?label=npm&color=blue)](https://www.npmjs.com/package/tooltrust-mcp)
[![npm downloads](https://img.shields.io/npm/dm/tooltrust-mcp?label=npm%20downloads)](https://www.npmjs.com/package/tooltrust-mcp)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)

**Scan MCP servers for prompt injection, data exfiltration, and privilege escalation before your AI agent blindly trusts them.**

> **🚨 Supply-Chain Incident Coverage (March 2026)**
> ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (`axios@1.14.1`, `axios@0.30.4`). For npm-backed MCP servers, ToolTrust now combines blacklist matches, lifecycle-script review, transitive lockfile recovery, and IOC matching such as `plain-crypto-js` to surface suspicious releases earlier.

![ToolTrust MCP demo](docs/mcp-demo.gif)

## Live UI

![ToolTrust Directory UI](docs/tooltrust-ui.png)

- Browse the public directory: [https://www.tooltrust.dev/](https://www.tooltrust.dev/)
- Look up historical grades for popular MCP servers
- Review findings in a browser before installing or trusting a server

## What it looks like

```
Scan Summary: 14 tools scanned | 13 allowed | 1 need approval | 0 blocked
Tool Grades: A×13  C×1
Findings by Severity: HIGH×1  MEDIUM×14  LOW×1 (16 total)

Flagged Tools:
• search_files  🟡 GRADE C  needs approval
  [AS-002] High: Network access declared
  [AS-011] Low: Missing rate-limit or timeout
  Action now: Keep this tool on manual approval until the risky capabilities are reviewed.
```

## 🤖 Let your AI agent scan its own tools

Add ToolTrust as an MCP server in your `.mcp.json` and your agent can audit every tool it has access to:

> **Note:** First run downloads a ~10MB Go binary from GitHub Releases. Subsequent runs use the cached binary.

```json
{
  "mcpServers": {
    "tooltrust": {
      "command": "npx",
      "args": ["-y", "tooltrust-mcp"]
    }
  }
}
```

Then ask your agent to run:

- `tooltrust_scan_config` to scan all configured MCP servers
- `tooltrust_scan_server` to scan one specific server
- Full MCP tool list: [Usage guide](docs/USAGE.md#mcp-tools)

## 🔍 What it catches

- Prompt injection and tool poisoning hidden in descriptions
- Excessive permissions such as `exec`, `network`, `db`, and `fs`
- Supply-chain CVEs and known compromised package versions
- Suspicious npm lifecycle scripts that execute during install
- Suspicious npm IOC dependencies and indicators such as `plain-crypto-js`, reviewed install-script patterns, malicious domains, and URLs referenced from published package metadata
- Dependency visibility gaps when an MCP server does not expose enough metadata for supply-chain analysis
- Privilege escalation and arbitrary code execution patterns
- Typosquatting, tool shadowing, and insecure secret handling
- Missing rate-limit, timeout, or retry configuration on risky tools

ToolTrust now labels supply-chain coverage in scan output:

- `No dependency data`
- `Declared by MCP metadata`
- `Verified from local lockfile`
- `Verified from remote lockfile`
- `Repo URL available`

For live local scans, ToolTrust will also best-effort inspect common dependency artifacts when it can infer a project root from the launch command:

- `package-lock.json` / `npm-shrinkwrap.json`
- `pnpm-lock.yaml`
- `yarn.lock`
- `go.sum`
- `requirements.txt`

For remote GitHub repos exposed via `repo_url`, ToolTrust also inspects common lockfiles for transitive dependency evidence:

- `package-lock.json`
- `pnpm-lock.yaml`
- `yarn.lock`
- `go.sum`
- `requirements.txt`

Recent incident coverage includes:

- LiteLLM `1.82.7` / `1.82.8` and related TeamPCP compromise indicators
- Axios `1.14.1` / `0.30.4` malicious npm publish
- npm metadata IOC detection for helper packages such as `plain-crypto-js`

Full rule catalog: [docs/RULES.md](docs/RULES.md) · [tooltrust.dev](https://www.tooltrust.dev/)

Threat-intel and IOC promotion flow: [docs/IOC_PIPELINE.md](docs/IOC_PIPELINE.md)
Scanner scope guardrails: [docs/SCANNER_SCOPE.md](docs/SCANNER_SCOPE.md)

## More ways to use ToolTrust

- CLI install, examples, and flags: [Usage guide](docs/USAGE.md#cli)
- Scan-before-install workflow: [Gate docs](docs/USAGE.md#gate)
- CI / GitHub Actions examples: [CI integration](docs/USAGE.md#github-actions)
- Pre-commit / alias setup: [Pre-hook integration](docs/USAGE.md#pre-hook-integration)

---

[Usage guide](docs/USAGE.md) · [Developer guide](docs/DEVELOPER.md) · [Contributing](docs/CONTRIBUTING.md) · [Changelog](CHANGELOG.md) · [Security](docs/SECURITY.md) · [License: MIT](LICENSE) © 2026 AgentSafe-AI