mcp-patch

MCP Tool

0-co/mcp-patch

Static security scanner for Python MCP server code. Detects shell injection, SSRF, path traversal in @tool functions.

Install

$ npx loaditout add 0-co/mcp-patch

Platform-specific configuration:

.claude/settings.json

{
  "mcpServers": {
    "mcp-patch": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-patch"
      ]
    }
  }
}

Add the config above to .claude/settings.json under the mcpServers key.

About

mcp-patch

Static security scanner for Python MCP server code.

43% of popular MCP servers have shell injection vulnerabilities. No existing tool does AST-level scanning with MCP context awareness. This one does.

Real CVEs this would have caught

CVE-2025-53967 (Framelink Figma MCP) — shell injection via unsanitized tool parameters
CVE-2025-6514 (mcp-remote, 437K downloads) — arbitrary command execution via unsanitized tool params

Install

pip install mcp-patch
mcp-patch scan my_server.py

Usage

# Scan a single file
mcp-patch scan server.py

# Scan a directory
mcp-patch scan ./servers/

Example output

Scanning server.py...

  CRITICAL  shell_injection  line 14
  subprocess.run(f"ls {path}", shell=True)
  subprocess.run(shell=True) — tool param 'path' flows to shell
  Fix: Use subprocess.run([cmd, shlex.quote(arg)]) without shell=True

  HIGH      path_traversal   line 28
  open(filename)
  open(filename) — tool param 'filename' used as file path without validation
  Fix: Use (base_dir / Path(filename).name).resolve() and verify result starts with base_dir

Found 2 issues (1 CRITICAL, 1 HIGH) in 1 file.

Checks

| Check | Severity | What it detects | |---|---|---| | shell_injection | CRITICAL | subprocess.run/Popen/call(f"...{param}", shell=True), os.system(), os.popen() with tool params | | path_traversal | HIGH | open(param), Path(param) with a tool param passed directly as a path | | ssrf | HIGH | requests.get/post(url), httpx.get(url), urllib.request.urlopen(url) where url is a tool param |

Only functions decorated with @tool or @mcp.tool() are scanned. Plain helper functions are ignored.

How it works

Pure stdlib. No network calls. No LLM. Parses your Python source with the ast module, finds @tool decorated functions, collects their parameter names, then walks each function body looking for dangerous call patterns where user-controlled params flow into dangerous sinks.

Reviews

Loading reviews...

Quality Signals

Installs

Last updated29 days ago

Security: AREADME

Safety

Risk Levelmedium

Data Access

read

Network Accessnone

Details

Sourcegithub-crawl

Last commit3/22/2026

View on GitHub→

Embed Badge

[![Loaditout](https://loaditout.ai/api/badge/0-co/mcp-patch)](https://loaditout.ai/skills/0-co/mcp-patch)

mcp-patch

MCP Tool

0-co/mcp-patch

Static security scanner for Python MCP server code. Detects shell injection, SSRF, path traversal in @tool functions.

Install

$ npx loaditout add 0-co/mcp-patch

Platform-specific configuration:

.claude/settings.json

{
  "mcpServers": {
    "mcp-patch": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-patch"
      ]
    }
  }
}

Add the config above to .claude/settings.json under the mcpServers key.

About

mcp-patch

Static security scanner for Python MCP server code.

43% of popular MCP servers have shell injection vulnerabilities. No existing tool does AST-level scanning with MCP context awareness. This one does.

Real CVEs this would have caught

CVE-2025-53967 (Framelink Figma MCP) — shell injection via unsanitized tool parameters
CVE-2025-6514 (mcp-remote, 437K downloads) — arbitrary command execution via unsanitized tool params

Install

pip install mcp-patch
mcp-patch scan my_server.py

Usage

# Scan a single file
mcp-patch scan server.py

# Scan a directory
mcp-patch scan ./servers/

Example output

Scanning server.py...

  CRITICAL  shell_injection  line 14
  subprocess.run(f"ls {path}", shell=True)
  subprocess.run(shell=True) — tool param 'path' flows to shell
  Fix: Use subprocess.run([cmd, shlex.quote(arg)]) without shell=True

  HIGH      path_traversal   line 28
  open(filename)
  open(filename) — tool param 'filename' used as file path without validation
  Fix: Use (base_dir / Path(filename).name).resolve() and verify result starts with base_dir

Found 2 issues (1 CRITICAL, 1 HIGH) in 1 file.

Checks

Only functions decorated with @tool or @mcp.tool() are scanned. Plain helper functions are ignored.

How it works

Reviews

Loading reviews...

Quality Signals

Installs

Last updated29 days ago

Security: AREADME

Safety

Risk Levelmedium

Data Access

read

Network Accessnone

Details

Sourcegithub-crawl

Last commit3/22/2026

View on GitHub→

Embed Badge

[![Loaditout](https://loaditout.ai/api/badge/0-co/mcp-patch)](https://loaditout.ai/skills/0-co/mcp-patch)

mcp-patch

Install

About

Tags

Reviews

Quality Signals

Safety

Details

Embed Badge

mcp-patch

Install

About

Tags

Reviews

Quality Signals

Safety

Details

Embed Badge