New CLI tool mcp-audit exposes security flaws in MCP server configurations

·1 views

A developer building MCP server integrations for Claude and Cursor discovered serious security gaps after running a self-built auditing tool called mcp-audit on their own setup, which scored 0 out of 100. The tool flagged issues including a remote server with no authentication, a plaintext GitHub token stored in a config file, unpinned auto-updating executables, and an overly broad filesystem access scope. A 2026 analysis of roughly 7,000 public MCP servers found that 41% require no authentication and 36.7% are vulnerable to SSRF attacks, highlighting how widespread these risks are. The tool also revealed that running multiple MCP servers can silently consume 50,000 to 75,000 context tokens per request, increasing costs and latency before a user types a single prompt. mcp-audit is a free, open-source, zero-dependency CLI that runs entirely locally and supports config files from Claude Desktop, Cursor, VS Code, and other clients.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Developer builds Sentinel, a regex-free Go-based secret scanner for CI/CD pipelines

A developer has released Sentinel, an open-source secret scanning tool written in Go, designed to overcome performance issues found in existing tools like Gitleaks and TruffleHog. Unlike traditional scanners, Sentinel uses an Aho-Corasick automaton engine to scan payloads in O(n) linear time, eliminating the risk of catastrophic backtracking on large files. The tool also includes a pre-decoding layer for Base64 strings and aggregates multi-line certificates into single alerts to reduce noise. In testing against a 15MB stress payload containing over 100 structural baits, Sentinel completed the scan in approximately 1.5 seconds with a perfect signal-to-noise ratio. The project is fully open-source under the AGPL-3.0 license and is available on GitHub for community review and feedback.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Monlite unifies vector store, cache, and job queue in a single SQLite file

A developer frustrated by multi-container local setups for AI agent projects built Monlite, a TypeScript library that consolidates document storage, vector search, full-text search, key-value cache, job queue, and cron scheduling into one SQLite file. The library uses SQLite's built-in capabilities — including ACID transactions, WAL mode, and the FTS5 engine — along with the sqlite-vec extension for KNN vector queries. A key engineering challenge was ensuring exactly-once job claiming across multiple worker processes, solved using SQLite's BEGIN IMMEDIATE write-intent lock rather than optimistic locking. Monlite also supports cross-language interoperability, allowing Python and Node.js to read and write the same database file with verified round-trip tests. Now at version 2.6.1 with a stable API, the project is explicitly designed for single-machine local workloads, with an optional sync package available for replication to cloud databases like MongoDB or Postgres.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

How a Hard-Coded Interest Rate Formula Cost One Fintech Startup $2M

A Southeast Asian fintech startup hard-coded its interest rate calculation logic directly into its API layer to speed up its lending product launch, a decision that seemed reasonable under competitive pressure at the time. Over the following 14 months, that single line of logic became embedded across seven undocumented downstream processes, including loan origination, repayment schedules, and regulatory reporting. When the business needed to shift from a flat to a tiered interest rate model, what founders expected to be a two-week product change took three months of engineering work to untangle and rewrite safely. The resulting losses, remediation costs, and foregone revenue from delayed features totalled over $2 million. The case illustrates how technical debt compounds across four cost categories: direct remediation, slower feature velocity, incident exposure, and opportunity cost from markets and partnerships that become unreachable.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

What Runtime Infrastructure an AI Agent Loop Actually Needs to Run Safely

As AI agent loops grow more autonomous—discovering work, executing tasks, verifying results, and scheduling next steps—the key bottleneck shifts from prompt quality to underlying infrastructure. Safe loops require isolated execution environments, clear tool permissions, and explicit policies distinguishing low-risk actions like reading logs from high-risk ones like modifying production settings. Because the context window cannot serve as durable memory, long-running loops depend on external state storage such as task queues, traces, and decision logs to remain auditable across restarts. Verification must come from sources outside the executor itself, including tests, static analysis, cost limits, and human confirmation for sensitive actions. Finally, production loops need defined stop conditions and observability dashboards so engineers can track tool calls, failures, costs, and intervention points in real time.

0 comments Read more at DEV Community