OxvaultOXVAULT

Security for MCP servers

Scan before install. Protect at runtime. 103 real servers scanned - 84% had vulnerabilities.
Get Started FreeGet Pro

Two layers of protection

The scanner catches vulnerabilities before install. The gateway catches them at runtime - blocking attacks as they happen.
  • Scan before install
    60+ detection rules analyze source code, tool descriptions, and credentials. 12/12 known MCP CVEs detected. Run it on any server before installing.
  • Protect at runtime
    The gateway proxies every JSON-RPC message between your AI agent and MCP servers. Shell injection, SSRF, and credential theft are blocked before they execute.
  • Full audit trail
    Every tool call, every argument, every response is logged. Know exactly what your MCP servers are doing - forwarded, blocked, or alerted.

What Oxvault catches

Real vulnerabilities found in real MCP servers. Not theoretical - validated against 103 servers from the ecosystem.
  • Command Injection
    Blocks shell metacharacters, execSync with user input, os.system() calls. Found in Cloudflare, AWS, Microsoft, Desktop Commander.
  • Credential Theft
    Detects hardcoded AWS keys, API tokens, private keys, Bearer tokens. Blocks policy violations targeting .ssh, .aws, .env files.
  • Tool Description Poisoning
    Catches hidden instruction tags, unicode steganography, BiDi overrides, secrecy instructions, and cross-tool exfiltration patterns.
  • SSRF & Path Traversal
    Blocks metadata IP access (169.254.169.254), RFC 1918 ranges, and ../ path sequences. Caught broken SSRF checks in Context7 and Klavis.
  • Rug Pull Detection
    Tool descriptions are SHA-256 hashed at startup. Any mid-session change is flagged immediately. No other scanner does this.
  • Response Leakage
    Scans server responses for AWS keys, GitHub PATs, private keys, JWTs, database connection strings. Alerts without blocking.

Get protected in 3 steps

From zero to fully protected in under 2 minutes. No configuration needed.
    1
    1. ScanCheck any MCP server before installing. Scans source code, tool descriptions, and credentials. Works with GitHub repos, npm packages, and local projects.
    2
    2. ProtectOne command wraps all your MCP clients - Claude Code, Cursor, VS Code, Windsurf. Every tool call is inspected against security policies and scanner rules.
    3
    3. MonitorWatch the audit log in real time. Every forwarded, blocked, and alerted message is recorded. Know exactly what your MCP servers are doing.

Choose your security level

The scanner is free and open source. The gateway adds runtime protection for developers who don't trust MCP servers.
Scanner
Open source. Free forever.
$0
forever
  • 60+ detection rules
  • 12/12 known MCP CVE detection
  • Source code SAST analysis
  • Credential and secret detection
  • Tool description poisoning detection
  • Hash pinning for rug pull detection
  • SARIF + JSON output
  • GitHub Action for CI/CD
Install Free
Pro
Runtime protection for developers.
$29
/monthBilled annually. $39/month if paid monthly.
  • Everything in Scanner
  • Gateway runtime proxy (stdio + HTTP/SSE)
  • Policy engine with custom rules
  • Rug-pull detection at runtime
  • Audit logging with viewer
  • SSRF-hardened HTTP proxy
  • Priority rule updates (48-hour CVE coverage)
  • Email support
Get Pro

Validated against 103 real servers

We scanned 103 real MCP servers from the ecosystem. 84% had security vulnerabilities. Here are some of the findings.
Hardcoded Bearer token found in source code. Authorization header with live API key committed to the repository.

Cloudflare MCP

CRITICAL - mcp-hardcoded-bearer-token

exec() in sandbox runner with user-controlled input. os.system() and os.popen() calls. Unsafe pickle.load() deserialization.

AWS MCP (awslabs/mcp)

CRITICAL - 7 findings

startsWith() used to check for private IPs - ineffective on full URLs. SSRF bypass allows access to internal services.

Context7 (upstash/context7)

CRITICAL - mcp-ssrf-broken-check

execSync with template literal interpolation - npm install ${packageName}. Direct command injection vector.

Microsoft MCP

CRITICAL - mcp-cmd-injection

6 command injection patterns via execSync with string concatenation across build scripts and system info collection.

Desktop Commander

CRITICAL - 6 findings

17 findings including command injection in Oracle thick mode setup and hardcoded AWS access keys in test shipping labels.

Activepieces

CRITICAL - 17 findings

Don't trust MCP servers. Verify them.

84% of MCP servers have security vulnerabilities. Oxvault catches them before and during runtime. Free scanner, Pro gateway.
Get Started FreeView on GitHub