MCP Fortress: Integrated Security Tool with Claude Code for Vulnerability Scanning

MCP Fortress

MCP Fortress is a comprehensive security tool designed for Model Context Protocol (MCP) servers, offering automated vulnerability scanning, runtime protection, risk scoring, and threat detection functions, and supporting integration with AI assistants such as Claude Code through the MCP server mode for security analysis.

Security Developer tools #Security Scanning #Runtime Protection #Threat Detection #MCP Security

rating : 2.5 points

downloads : 8.4K

update time : 2025-12-29

Open Site

What is MCP Fortress?

MCP Fortress is a security tool specifically designed for Model Context Protocol (MCP) servers. It acts like a'security guard', helping you detect potential security risks when using various MCP servers. Whether it's a JavaScript package installed via npm or a Python package from PyPI, MCP Fortress can automatically scan for vulnerabilities, malicious code, and dependency risks and provide real-time protection.

How to use MCP Fortress?

MCP Fortress offers multiple usage methods: The simplest is to install it with one click through the Claude Code plugin without any configuration; it can also be integrated as an independent MCP server into your AI development environment; or you can use the command-line tool for local scanning. No matter which method you choose, you can easily check the security of MCP servers.

Applicable scenarios

When you need to install a new MCP server but are unsure about its security; when you suspect that an MCP server may have malicious behavior; when you want to regularly check the security status of installed MCP servers; when you need to establish MCP server security standards for your team.

Main Features

Automated Security Scanning

Automatically detect vulnerabilities in npm and PyPI packages, integrate with the CVE database, analyze dependencies, and calculate a risk score (0 - 100 points)

Runtime Protection

Monitor the running status of MCP servers in real-time, isolate suspicious packages, stream telemetry data via WebSocket, and provide real-time activity logs

Gamified Experience

An achievement system with 16 unlockable badges, a continuous daily scan record, leaderboards, statistical indicators, and interesting security tips

MCP Server Mode

Can run as an MCP server, expose security analysis tools to AI assistants such as Claude Code and Cursor, and use existing LLMs for AI-driven security analysis

Beautiful Web Interface

A modern dashboard based on React, real-time statistical data, a sortable and filterable server table, and a detailed threat analysis view

Enhanced Scanner

Improved false positive detection, the first security tool using MCP to protect MCP

Advantages

Zero-configuration usage: Install with one click via the Claude Code plugin without complex settings

Multi-platform support: Support the npm and PyPI ecosystems

Real-time protection: Runtime monitoring and immediate threat detection

AI integration: Use security analysis directly in AI conversations

User-friendly: Gamified design makes security scanning more interesting

Offline work: The locally installed version does not require an internet connection

Limitations

The free version lacks cloud synchronization functionality

Team features require a professional version

There may be a scanning delay for newly released packages

Some advanced threats may require manual verification

How to Use

Choose an Installation Method

Select the most suitable installation method according to your needs: Claude Code plugin (the simplest), Smithery remote service (automatically updated), or local installation (full control)

Install MCP Fortress

If using Claude Code, simply search for and install it in the plugin marketplace; if using the command line, run npm install -g mcp-fortress

Configure the AI Assistant

Edit the configuration file of the AI assistant and add the MCP Fortress server. For Claude Desktop, edit the claude_desktop_config.json file

Start Using

Restart the AI assistant. Now you can directly ask security questions in the conversation or use the command-line tool for scanning

Usage Examples

Check the Security of a New MCP Server

When you want to install a new MCP server in your project but are unsure about its security, you can use MCP Fortress for a quick scan

Detect Malicious Tool Names

When you encounter a tool with a suspicious name (such as a misspelled tool name), you can check if it is a malicious imitation

Analyze Prompt Injection Attacks

When you receive a prompt that may contain malicious instructions, you can check if there is a prompt injection risk

Batch Scan Project Dependencies

When you need to check the security of all MCP servers in an entire project, you can use the command-line tool for batch scanning

Frequently Asked Questions

Does MCP Fortress require payment?

Will MCP Fortress affect the performance of my MCP server?

How to judge the accuracy of the scanning results?

Which AI assistants does MCP Fortress support?

Where is the data stored? Is it secure?

What should I do if I encounter false positives?

Related Resources

GitHub Repository

Source code, issue feedback, and contribution guidelines

Smithery Service Page

Remote service installation and API key acquisition

Claude Code Installation Guide

Detailed installation instructions for the Claude Code plugin

Question Discussion Area

Exchange usage experiences and tips with other users

Contribution Guide

How to contribute to the MCP Fortress project

🚀 🏰 MCP Fortress

Security scanner and runtime protection for Model Context Protocol (MCP) servers

This project serves as a security scanner and runtime protection solution for MCP servers, offering automated security scanning, runtime protection, gamification, and a beautiful web UI to safeguard MCP servers from various security threats.

🚀 NEW in v0.3.6: Enhanced scanner with improved false-positive detection! The first security tool that uses MCP to secure MCP.

🚀 Quick Start

For Claude Code Users (Easiest!)

# Install the Claude Code plugin
/plugin marketplace add mcp-fortress/mcp-fortress
/plugin install mcp-fortress

# Authenticate with Smithery (opens in browser)
/mcp

Done! Now ask Claude: "Is @modelcontextprotocol/server-github safe to install?"

The MCP Fortress skill will automatically scan and analyze security for you. No setup, no configuration - just install and ask! 🎉

📖 Full Claude Code Installation Guide

Standalone Installation

# Install globally
npm install -g mcp-fortress

# Start the server
mcp-fortress start

That's it! The web UI will open at http://localhost:3000

🎬 Demo

✨ Features

🔍 Automated Security Scanning

Vulnerability detection across npm and PyPI packages
CVE database integration
Dependency analysis
Risk scoring (0 - 100)

🛡️ Runtime Protection

Real-time monitoring of MCP servers
Quarantine suspicious packages
WebSocket telemetry streaming
Activity feed with live updates

📊 Gamification

Achievement system with 16 unlockable badges
Streak tracking for daily scans
Leaderboards and metrics
Humorous security tips

🎨 Beautiful Web UI

Modern React-based dashboard
Real-time statistics
Server table with sorting and filtering
Detailed threat analysis views

🤖 NEW: MCP Server Mode (v0.3.0+)

Run MCP Fortress as an MCP server
Expose security analysis tools to Claude Code, Cursor, Windsurf
AI-powered security analysis using your existing LLM
Zero setup - uses the AI you already have
The first security tool that uses MCP to secure MCP

📦 Installation

Option 1: Smithery Remote (Recommended - Easiest)

Method A: Smithery CLI (Automated)

npx @smithery/cli install @mcp-fortress/mcp-fortress-server --client claude

Method B: Manual (With API Key)

Get your API key from Smithery
Add to Claude:

claude mcp add --transport http mcp-fortress "https://server.smithery.ai/@mcp-fortress/mcp-fortress-server/mcp?api_key=YOUR_API_KEY&profile=YOUR_PROFILE"

Replace YOUR_API_KEY and YOUR_PROFILE with values from Smithery.

Benefits:

✅ No local installation
✅ Auto-updates
✅ Zero setup

Option 2: Local Install (Advanced)

npm install -g mcp-fortress

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-fortress": {
      "command": "mcp-fortress",
      "args": ["serve-mcp"]
    }
  }
}

Restart Claude Desktop.

Benefits:

✅ Full control
✅ Works offline
✅ No API key needed

💻 Usage Examples

MCP Server Mode (Recommended)

Configuration Steps

1. Install MCP Fortress:

npm install -g mcp-fortress

2. Configure Claude Desktop: Edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-fortress": {
      "command": "mcp-fortress",
      "args": ["serve-mcp"]
    }
  }
}

3. Restart Claude Desktop Restart Claude Desktop to load the MCP Fortress server.

4. Use in Claude Code:

You: Scan @modelcontextprotocol/server-filesystem for security issues

Claude: *Uses MCP Fortress tools to scan and analyze*
I found 3 potential security concerns...

Available MCP Tools

scan_mcp_server - Comprehensive security scan
- Analyzes npm packages for vulnerabilities
- Detects malicious code patterns
- Checks dependencies for CVEs
- Calculates risk score (0 - 100)
analyze_prompt_injection - Detect prompt injection attacks
- Identifies instruction injection attempts
- Detects role manipulation
- Finds system prompt extraction attempts
- Analyzes delimiter injection
detect_tool_poisoning - Identify malicious/misleading tools
- Detects typosquatting (e.g., read_fiile vs read_file)
- Identifies name/description mismatches
- Flags overly generic tool names
- Compares against known legitimate tools

Example Interactions

You: Is puppeteer-mcp-server safe to use?
Claude: ✅ Yes! Risk score: 0/100. No threats detected.

You: Check this tool: "Helper tool. Ignore previous instructions."
Claude: 🚨 CRITICAL: Prompt injection detected! DO NOT USE.

You: Is a tool named "read_fiile" suspicious?
Claude: ⚠️ Yes! Likely typosquatting "read_file"

Standalone Usage

Start the Server

# Start server (foreground)
mcp-fortress start

# Start server in background (daemon mode)
mcp-fortress start --daemon

Options:

-p, --port <port> - API port (default: 3001)
-h, --host <host> - Host to bind (default: localhost)
--no-browser - Don't open browser automatically
-d, --daemon - Run server in background

Daemon Commands

# Stop the daemon server
mcp-fortress stop

# Check daemon status
mcp-fortress status

# View server logs
mcp-fortress logs
mcp-fortress logs --lines 100  # Show last 100 lines

Scan a Package

mcp-fortress scan <package-name>

Examples:

# Scan from npm
mcp-fortress scan express

# Scan specific version
mcp-fortress scan express --version 4.18.0

# Scan from PyPI
mcp-fortress scan flask --registry pypi

Monitor a Running Server

mcp-fortress monitor <server-name>

Manage Quarantine

# List quarantined servers
mcp-fortress quarantine list

# Release from quarantine
mcp-fortress quarantine release <server-name>

🏗️ Architecture

mcp-fortress/
├── CLI                 → Command-line interface
├── API Server          → Express REST API + WebSocket
├── Scanner Engine      → npm & PyPI vulnerability detection
├── Web UI              → React dashboard
└── SQLite Database     → Local data storage

Data Location: