MCP configuration audit Model Context Protocol server auditor — flags tool-poisoning patterns in Claude Desktop / Claude Code / Cursor / Continue / Cline / Roo configs.
LLM-agent tooling is the new attack surface. Every MCP server an
agent loads runs as a subprocess with the host's privileges, and
the tool catalog (descriptions, schemas) is dictated by the server —
so a malicious MCP server has both shell access and a prompt-injection
channel into the agent's reasoning. The 2025-2026 "tool poisoning"
research thread shows this is being actively abused via typo-squatted
npm packages, project-scoped .mcp.json files in malicious
repos, and credential-leaking env-var inheritance.
Config locations searched
digger auto-discovers MCP configs at every well-known host location:
~/.config/Claude/claude_desktop_config.json(Linux Claude Desktop)~/Library/Application Support/Claude/claude_desktop_config.json(macOS)~/AppData/Roaming/Claude/claude_desktop_config.json(Windows)~/.claude/settings.json,~/.claude.json(Claude Code)~/.cursor/mcp.json~/.continue/config.json+~/.config/io.continue.continue/config.json- Cline + Roo Code VSCode-extension globalStorage configs
- Project-scoped (always added):
./.mcp.json,./.claude/settings.json,./.cursor/mcp.json
Config shapes parsed
{ "mcpServers": { name: {...}, ... } }(Claude Desktop, Cursor){ "mcp": { "servers": { name: {...}, ... } } }(newer Anthropic){ "mcpServers": [ { name: ..., ... }, ... ] }(some forks){ "servers": [...] }(Continue)
The package identifier is parsed out of command + args
into (ecosystem, identifier, scope): npx →
npm; uvx/pipx → pypi;
node/python3 → raw script;
https://… → network transport; otherwise binary.
Detection layers (P1–P5)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| P1 | high | Project-scoped MCP server (.mcp.json in a repo). git clone + open is enough to enroll a server — same shape as the npm/pypi dropper attack. | T1195.002 |
| P2 | high | Raw script execution (node /tmp/x.js, python3 server.py, ./run.sh). Whoever edits the file edits the MCP behavior, with no signature check. | T1059 |
| P3 | high | Credential-shape env vars (AWS_*, GITHUB_TOKEN, *_API_KEY, etc). Server inherits them at exec. | T1552.001 |
| P4 | medium | Network transport (sse / http / ws). Tool descriptions become an untrusted-input vector — prompt injection lands via the tool catalog. | T1071.001 |
| P5 | medium | Typo-squat-suspicious npm scope. Not on the KNOWN_GOOD_NPM_SCOPES allowlist (@modelcontextprotocol, @anthropic-ai, etc). Extend via DIGGER_MCP_TRUSTED_SCOPES. | T1195.002 |
Disabled servers emit no findings.
CLI
$ digger mcp audit --case-dir /tmp/case [--roots config1,config2] [--verbose]
[mcp] MCP servers audited: 14
[mcp] project-scoped: 1
[mcp] with env vars: 6
[mcp] raw-script: 0
[mcp] network-transport: 2
[mcp] artifacts emitted: 14