Local Analysis: Static Security Scanning for MCP Servers
Learn how to use MCP Shark's Local Analysis feature for static security scanning with YARA-based detection rules. Quickly identify vulnerabilities in your connected MCP servers.
What is Local Analysis?
Local Analysis is MCP Shark's built-in static security scanner that analyzes your MCP server configurations and tool definitions using YARA-based pattern matching. Unlike Smart Scan (which uses AI-powered analysis), Local Analysis runs entirely locally and provides fast, deterministic results.
✅ Key Benefits
- Fast: Results in milliseconds, not seconds
- Offline: No internet connection required
- Customizable: Create your own YARA detection rules
- Standards-based: Built on MCP Top 10 and Agentic Top 10
Security Categories
Local Analysis checks for vulnerabilities based on two comprehensive security frameworks:
MCP Top 10
Based on OWASP MCP security guidelines, covering common vulnerabilities in MCP implementations:
- MCP-01: Token Mismanagement
- MCP-02: Scope Creep
- MCP-03: Tool Poisoning
- MCP-04: Supply Chain
- MCP-05: Command Injection
- MCP-06: Prompt Injection Context
- MCP-07: Insufficient Auth
- MCP-08: Lack of Audit
- MCP-09: Shadow Servers
- MCP-10: Context Injection
Agentic Top 10
Security risks specific to agentic AI systems and autonomous agents:
- AGENTIC-01: Goal Hijack
- AGENTIC-02: Tool Misuse
- AGENTIC-03: Identity Abuse
- AGENTIC-04: Supply Chain
- AGENTIC-05: Remote Code Execution
- AGENTIC-06: Memory Poisoning
- AGENTIC-07: Insecure Communication
- AGENTIC-08: Cascading Failures
- AGENTIC-09: Trust Exploitation
- AGENTIC-10: Rogue Agent
Getting Started
Step 1: Start Your MCP Servers
Local Analysis only scans servers that are actively connected through the MCP Shark proxy. First, go to the Setup tab and start your MCP servers:
- Select your MCP configuration file (detected automatically for Cursor, Windsurf, etc.)
- Choose which servers to enable
- Click "Start MCP Shark"
- Wait for servers to connect
Note: The Analyse button is disabled until at least one MCP server is running. If you see a disabled button, go to Setup first.
Step 2: Run Analysis
Navigate to the Local Analysis tab and click the Analyse button. MCP Shark will scan all connected servers and display findings in the dashboard.
Step 3: Review Findings
Use the different view modes to analyze your results:
- Dashboard: Overview with severity charts and summary statistics
- By Severity: Findings grouped by Critical, High, Medium, Low
- By Category: Findings organized by MCP Top 10 or Agentic Top 10
- By Target: Findings grouped by server or tool name
Understanding Findings
Each finding includes:
- Severity: Critical, High, Medium, or Low priority
- Category: Which security category it belongs to (e.g., MCP-05)
- Title: Brief description of the issue
- Description: Detailed explanation of the vulnerability
- Server/Tool: Which server or tool is affected
- Evidence: The specific pattern that triggered the detection
Critical
Immediate action required. Potential for severe exploitation.
High
Significant security risk. Should be addressed soon.
Medium
Moderate risk. Consider remediation.
Low
Informational or best practice recommendation.
Scan History
Click the History button to view past analysis results. Each historical scan shows:
- Timestamp of when the scan was performed
- Total number of findings
- Which servers were scanned
- Severity breakdown (Critical/High/Medium/Low counts)
Click on any historical scan to view its findings. This is useful for comparing security posture over time or reviewing changes after updates.
YARA Detection Rules
Switch to the YARA Detection tab to manage detection rules. MCP Shark includes predefined rules for common vulnerabilities, and you can create custom rules for specific patterns.
Managing Rules
- View Rules: See all predefined and custom rules
- Enable/Disable: Toggle individual rules on or off
- Create Custom: Write your own YARA rules
- Reset Defaults: Restore predefined rules to original state
Custom Rule Example
rule detect_hardcoded_api_key {
meta:
description = "Detect hardcoded API keys"
severity = "high"
category = "MCP-01"
strings:
$api_key = /api[_-]?key\s*[:=]\s*["'][^"']+["']/i
$secret = /secret\s*[:=]\s*["'][^"']+["']/i
condition:
any of them
}Local Analysis vs Smart Scan
MCP Shark offers two complementary security analysis features:
| Feature | Local Analysis | Smart Scan |
|---|---|---|
| Analysis Type | Static (rule-based) | Dynamic (AI-powered) |
| Detection Method | YARA patterns | Semantic analysis |
| Requires | Running proxy servers | Server configuration |
| Speed | Fast (milliseconds) | Varies by server count |
| Internet Required | No | Yes |
| Custom Rules | Yes (YARA) | No |
Recommendation: Use Local Analysis for quick, pattern-based checks during development. Use Smart Scan for comprehensive AI-powered security audits before deployment.
Best Practices
- Run regularly: Scan after adding new MCP servers or updating configurations
- Review all severities: Even low-severity findings can indicate potential issues
- Use History: Compare scans over time to track security improvements
- Customize rules: Create YARA rules for your specific security requirements
- Combine with Smart Scan: Use both features for comprehensive coverage
- Clear regularly: Clear old findings after addressing them to maintain a clean dashboard
Next Steps
Continue learning about MCP security:
- Detecting Malicious MCP Servers - Manual inspection techniques
- Building a Secure MCP Setup - Comprehensive security guide
- MCP Playground Guide - Safely test MCP tools
Start scanning your MCP servers today
Try MCP Shark and use Local Analysis to identify security vulnerabilities.