DOCUMENTATION
Complete reference for MCPShield
PACKAGES
MCPShield is published as a monorepo with three packages:
| Package | Description | npm Link |
|---|---|---|
@kellyclaude/mcpshield |
Main CLI tool | View on npm |
@kellyclaude/mcpshield-core |
Core types and clients | View on npm |
@kellyclaude/mcpshield-scanner |
Security scanning engine | View on npm |
CLI REFERENCE
mcp-shield init
Initialize MCPShield in your project.
mcp-shield init [options]OPTIONS
| Flag | Description |
|---|---|
--force |
Overwrite existing files |
CREATES
mcp.lock.json- Empty lockfilepolicy.yaml- Default policy configuration
mcp-shield add
Add an MCP server with verification and security scanning.
mcp-shield add <server-name> [options]ARGUMENTS
server-name- Namespace of the server (e.g.,io.github.user/repo)
OPTIONS
| Flag | Description |
|---|---|
-y, --yes |
Skip confirmation prompts |
--skip-scan |
Skip security scan (not recommended) |
--version <ver> |
Specify exact version to add |
WORKFLOW
- Fetch metadata from MCP Registry
- Verify namespace ownership (GitHub)
- Download artifacts (npm/PyPI packages)
- Compute SHA-512 digests
- Run security scan
- Display results and prompt for approval
- Add to
mcp.lock.json
mcp-shield verify
Re-verify all servers in the lockfile.
mcp-shield verify [options]OPTIONS
| Flag | Description |
|---|---|
--server <name> |
Verify specific server only |
--strict |
Exit with error on any drift |
CHECKS
- Download artifacts from cache or registry
- Recompute digests
- Compare against lockfile
- Report drift if detected
mcp-shield scan
Run comprehensive security scan on all servers.
mcp-shield scan [options]OPTIONS
| Flag | Description |
|---|---|
--server <name> |
Scan specific server only |
--json |
Output results as JSON |
--verbose |
Show detailed findings |
SECURITY CHECKS
- Typosquatting - Levenshtein distance against popular packages
- Code Patterns - Detect eval(), exec(), child_process
- Network Calls - Identify suspicious remote connections
- Install Scripts - Flag dangerous lifecycle hooks
- Dependencies - Scan transitive dependencies
LOCKFILE SPECIFICATION
The mcp.lock.json file uses this schema:
{
"version": "1.0.0",
"generatedAt": "2026-02-05T15:30:00.000Z",
"servers": {
"<namespace>": {
"namespace": "string",
"version": "string",
"verified": boolean,
"verificationMethod": "github" | "npm" | "pypi" | null,
"verifiedOwner": "string" | null,
"fetchedAt": "ISO8601 timestamp",
"artifacts": [
{
"type": "npm" | "pypi" | "docker",
"url": "string",
"digest": "sha512-...",
"size": number
}
]
}
}
}FIELDS
| Field | Type | Description |
|---|---|---|
namespace |
string | Unique identifier (e.g., io.github.user/repo) |
version |
string | Semantic version |
verified |
boolean | Whether namespace ownership was verified |
verificationMethod |
string | How namespace was verified (github, npm, pypi) |
artifacts |
array | Downloadable artifacts with digests |
POLICY CONFIGURATION
The policy.yaml file defines security policies:
version: 1.0.0
policies:
# Maximum acceptable risk score (0-100)
maxRiskScore: 50
# Require namespace verification
requireVerification: true
# Block packages with these code patterns
blockPatterns:
- eval
- exec
- child_process
- crypto.createCipheriv
# Allowed package registries
allowedRegistries:
- registry.npmjs.org
- pypi.org
# Trusted publishers (auto-approve)
trustedPublishers:
- modelcontextprotocol
# Forbidden dependencies
blockedDependencies:
- malicious-package
- known-exploit
# Minimum version requirements
minVersions:
npm: "9.0.0"
node: "18.0.0"
Note: Policy enforcement is planned for future releases. Currently policies are advisory only.
SECURITY SCANNING
RISK SCORING
Each server receives a risk score from 0-100:
| Score | Verdict | Description |
|---|---|---|
| 0-30 | CLEAN | Safe to use |
| 31-60 | WARNING | Review findings before use |
| 61-80 | SUSPICIOUS | High risk, not recommended |
| 81-100 | MALICIOUS | Do not use |
DETECTION RULES
TYPOSQUATTING (+30 POINTS)
- Levenshtein distance < 3 from popular package
- Common character swaps (1 vs l, 0 vs O)
- Name similarity to official packages
SUSPICIOUS CODE (+20 POINTS EACH)
eval()- Dynamic code executionexec()- Shell command executionchild_process- Process spawning- Obfuscated code (hex strings, base64)
NETWORK CALLS (+15 POINTS)
- HTTP/HTTPS requests to unknown domains
- WebSocket connections
- DNS lookups to suspicious TLDs (.ru, .cn)
INSTALL SCRIPTS (+10 POINTS)
- postinstall, preinstall scripts
- File system modifications
- Download/execute behavior
INTEGRATION EXAMPLES
GITHUB ACTIONS
name: Security Check
on: [push, pull_request]
jobs:
mcp-shield:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install MCPShield
run: npm install -g @kellyclaude/mcpshield
- name: Verify MCP servers
run: |
mcp-shield verify --strict
mcp-shield scan
PRE-COMMIT HOOK
#!/bin/sh
# .git/hooks/pre-commit
echo "Running MCPShield verification..."
mcp-shield verify
if [ $? -ne 0 ]; then
echo "❌ MCP server verification failed!"
exit 1
fi
echo "✅ All MCP servers verified"
exit 0CI/CD INTEGRATION
// package.json
{
"scripts": {
"pretest": "mcp-shield verify",
"security": "mcp-shield scan --json > security-report.json"
}
}API DOCUMENTATION
PROGRAMMATIC USAGE
Use MCPShield as a library in your Node.js applications:
import { RegistryClient, Scanner, Lockfile } from '@kellyclaude/mcpshield-core';
// Fetch server metadata
const client = new RegistryClient();
const server = await client.getServerMetadata('io.github.user/repo');
// Run security scan
const scanner = new Scanner();
const result = await scanner.scanServer(server);
console.log(`Risk Score: ${result.riskScore}`);
console.log(`Verdict: ${result.verdict}`);
// Update lockfile
const lockfile = await Lockfile.load('mcp.lock.json');
await lockfile.addServer(server);
await lockfile.save();CORE CLASSES
RegistryClient
Available in @kellyclaude/mcpshield-core
class RegistryClient {
async getServerMetadata(namespace: string): Promise<ServerMetadata>
async fetchArtifacts(server: ServerMetadata): Promise<Artifact[]>
}Scanner
Available in @kellyclaude/mcpshield-scanner
class Scanner {
async scanServer(server: ServerMetadata): Promise<ScanResult>
async scanPackage(packagePath: string): Promise<ScanResult>
}Lockfile
Available in @kellyclaude/mcpshield-core
class Lockfile {
static async load(path: string): Promise<Lockfile>
async addServer(server: LockedServer): Promise<void>
async removeServer(namespace: string): Promise<void>
async save(): Promise<void>
}ARCHITECTURE
MONOREPO STRUCTURE
mcpshield/
├── packages/
│ ├── core/ # Core types and clients
│ │ ├── types.ts
│ │ ├── registry-client.ts
│ │ ├── namespace-verifier.ts
│ │ ├── lockfile.ts
│ │ └── artifact-resolver.ts
│ ├── scanner/ # Security scanning
│ │ ├── scanner.ts
│ │ └── rules/
│ └── cli/ # Command-line interface
│ ├── cli.ts
│ └── commands/
├── test/
│ ├── unit/
│ └── e2e/
└── docs/DATA FLOW
- Registry Fetch - RegistryClient fetches server metadata from MCP Registry
- Namespace Verification - NamespaceVerifier validates GitHub ownership via API
- Artifact Download - ArtifactResolver downloads npm/PyPI packages
- Digest Computation - SHA-512 hashes computed for all artifacts
- Security Scan - Scanner analyzes code for threats
- Lockfile Update - Verified server added to mcp.lock.json
VERIFICATION METHODS
| Method | Namespace Format | Verification |
|---|---|---|
| GitHub | io.github.owner/repo | GitHub API + repo ownership |
| npm | npm.package-name | npm registry + maintainer list |
| PyPI | pypi.package-name | PyPI API + owner verification |
TECHNOLOGY STACK
- TypeScript - Type-safe development
- Node.js - Runtime (≥18.0.0)
- npm Workspaces - Monorepo management
- Commander.js - CLI framework
- Axios - HTTP client
- yaml - Policy parsing
PUBLISHED PACKAGES
The monorepo publishes three packages to npm:
- @kellyclaude/mcpshield - Main CLI tool
- @kellyclaude/mcpshield-core - Core types and clients
- @kellyclaude/mcpshield-scanner - Security scanning engine