![[showcase] Lurkr: static scanner for MCP servers, catches shadow capabilities before deploy](https://external-preview.redd.it/udgGTEOdWwgcyaGz_RmRZcCNqPWfKt5ZInGHpzZaPKk.png?width=1080&crop=smart&auto=webp&s=27b46071719b5c36e55ed78e18c07e77adab0e34)
[showcase] Lurkr: static scanner for MCP servers, catches shadow capabilities before deploy
Disclosure: I built this. Posting under showcase tag per rule 4.
A few months back, I was reviewing an MCP server that declared `["search_docs"]` in its manifest. Reading Python source, I found a `@tool` calling `psql -c "$user_input"`, plus imports of `subprocess` and `requests`. The manifest said one thing. The code did several other things. Bandit, Semgrep, and gitleaks all ran clean. None of them parse MCP manifests, none of them cross-reference declared tools against actual code reach.
So I built that rule: `agent.declared_vs_imported_delta`. It parses the MCP manifest, walks the Python AST, and reports tools the agent can actually invoke that were never declared. Have not found another static scanner doing this cross-reference. If I missed one, I would genuinely like to know.
Lurkr ended up with 13 more rules around MCP and AI-agent code. Two that are specifically MCP-relevant:
- `agent.unverified_mcp_endpoint` flags manifest pointing at external MCP server URLs without identity verification or transport security
- `tool.shell_without_approval` flags MCP tool manifest, enabling shell execution without an explicit approval flag
The rest cover credential flows into LLM completion calls, eval/subprocess inside `@tool` functions, prompt-template interpolation of user input, plus hygiene basics (hardcoded API keys, unencrypted PEMs, deploy workflows without approval).
Ran it across 20 public agent reference repos, including several MCP server implementations. 665 findings, median 3.5 per repo. Synthetic TP checks, clean-control FP checks, and a 30-finding manual audit (labels: TP / expected-example / noise) live in `docs/LURKR_BENCHMARK.md`. The audit is honest about the noise floor.
Static-only. Read-only. No network calls during scan. MIT.
pip install lurkr
lurkr scan --path ./your-mcp-server
Source: github.com/agentveil-protocol/lurkr
Scope today: Python MCP servers get bounded AST + manifest analysis. TypeScript and JavaScript MCP servers get manifest and endpoint rules, but not code-level rules yet.
If you run an MCP server in production, what risk patterns are you currently scanning for, and what gaps do you see in the static-analysis coverage specifically for MCP?