11New
Injection Scanner
Paste any MCP tools array and instantly detect prompt injection patterns — 100% client-side, your JSON never leaves the browser.
Input — MCP tools JSON
Load example:
Ctrl + Enter to scan
What it scans
All string fields (name, description, parameter descriptions) for 10 injection pattern categories including zero-width unicode, HTML comment hiding, system overrides, tool shadowing, and exfiltration commands.
What to paste
A JSON tools[] array, a single tool object, or a full MCP server config. ShapeMCP's converters output directly compatible JSON.
Privacy
All scanning runs as pure JavaScript in your browser. No JSON, no tool definitions, no results are sent to any server. Works fully offline.
Severity levels
Critical — active attack vectors. High — impersonation and hijacking. Medium — obfuscation and secrecy. Low — suspicious but not necessarily malicious.