What is MCP Security Scanning?

Adding an MCP server to a client is closer to installing a browser extension than calling an API: the server's tool descriptions enter the model's context, and its tools run with whatever access the host grants. Scanning before adoption is the only point where you can evaluate a server without already being exposed to it.

A useful scan covers three layers:

• Tool description review — descriptions are untrusted text injected into the prompt, so scanning checks them for embedded instructions, hidden characters, and behaviour-steering language (the vector behind tool poisoning and line jumping).
• Permission and capability analysis — what does each tool actually reach? File system, network egress, shell execution, credentials. Static analysis of the server's source or package often reveals more than the description claims.
• Risk classification — mapping each tool to a risk category (read, write, destructive, exfiltration-capable) so policy decisions can be made per tool rather than per server.

Dynamic analysis complements this: running the server in isolation and introspecting its live tools/list output catches discrepancies between published metadata and actual behaviour, and re-scanning over time catches servers whose tools change after gaining trust.

This is PolicyLayer's catalogue in practice. The crawler at policylayer.com/tools continuously scans public MCP servers — static analysis of package source, README extraction, and live introspection — and publishes per-tool risk classifications you can review before adopting a server. For your own fleet, the npx policylayer CLI scanner analyses the servers in your local MCP configuration and generates policy suggestions from the findings, which the gateway then enforces at call time.