Sigil: MCP Server Security Scanner

Open Source Security MCP TypeScript Python

Source: github.com/sigildev/sigil
Score: ★★★★½ (4.5/5)

What is Sigil?

Sigil is the first open-source security scanner that performs deep static source code analysis on MCP (Model Context Protocol) servers. Unlike existing tools that only scan tool descriptions, Sigil reads the actual source code to find vulnerabilities.

Why It Matters

MCP servers are the bridge between AI agents and the real world—file systems, databases, APIs, shell commands. They're also largely unaudited:

34% of MCP implementations use APIs prone to command injection
82% use file operations prone to path traversal
5.5% have active tool poisoning in their descriptions

Real-World Test: Sigil scanned 73 MCP servers on Smithery. Results: 66 passed (90%), 5 warnings, 2 FAILED with real security vulnerabilities.

Security Findings from the Scan

telegram-mcp: FAILED (Grade F)

12 security findings
Unrestricted file_path parameter in send_photo, send_video, send_document tools
LLM could call send_photo(chat, "/etc/passwd") and server would attempt to send it
Runs HTTP endpoints with verbose error output

mcp-sqlite-server: FAILED (Grade F)

9 security findings
Passes user-provided SQL to conn.execute() with only startswith("select") guard
Single-statement bypasses work: UNION-based schema extraction, pragma metadata access
Potentially load_extension() exploitation possible
Runs SSE on 0.0.0.0:8000 over plain HTTP with debug logging enabled

16 Security Rules (7 Categories)

Injection (3): Command Injection, SQL Injection, Path Traversal
Permissions (3): Overly Broad Capabilities, Unrestricted FS Access, Arbitrary Code Execution
Data Exfiltration (2): Env Variable Exposure, Credential Leakage
Input Validation (1): Missing Input Schema
Tool Description (1): Suspicious Descriptions (prompt injection)
Authentication (2): Hardcoded Credentials, Secrets in Config
Configuration (3): Debug Mode, Verbose Errors, Insecure Transport
Dependencies (1): Vulnerable Dependencies (via OSV.dev)

Trust Scoring

Score = 100 - penalties CRITICAL = -25 points each HIGH = -15 points each MEDIUM = -5 points each LOW = -2 points each A (90-100) = PASS B (70-89) = PASS C (50-69) = WARN D (30-49) = FAIL F (0-29) = FAIL

Usage

# Run without installing npx @sigildev/sigil . # Install globally npm install -g @sigildev/sigil # Scan and get JSON output sigil . --output json # SARIF for GitHub Code Scanning sigil . --output sarif > results.sarif # CI/CD gating (exit code 1 on FAIL) sigil .

Key Features

MIT licensed, no account required
No data sent to external services (except OSV.dev for CVE checks)
TypeScript and Python support
SARIF output for GitHub integration
Config file scanning (claude_desktop_config.json, .mcp.json)
Tool-handler scoped analysis (only flags code within MCP tool contexts)

Comparison

Feature	Sigil	Existing Tools
Analysis depth	Source code	Description scanning
Languages	TypeScript + Python	Runtime only
Trust scoring	0-100 + A-F	Pass/fail only
Config scanning	Yes	No
Cost	Free	Paid platforms

Added: 2026-04-02 | Source: Hacker News Ask HN