一键导入
audit-mcp
Audit every configured MCP server — tool filtering, credential scope, last-update, risk flags
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit every configured MCP server — tool filtering, credential scope, last-update, risk flags
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | audit-mcp |
| description | Audit every configured MCP server — tool filtering, credential scope, last-update, risk flags |
| when_to_use | ["User asks to audit or review MCP configuration","Scheduled weekly security check","After installing a new MCP server","Before widening a server's tools.include list"] |
| toolsets | ["terminal","file"] |
| security | {"trust":"trusted","notes":"Read-only audit. Reads config.yaml and .env key NAMES (never values),\nruns npm view / git log. Never modifies config without confirmation.\n"} |
| model_hint | google/gemini-3.1-flash |
Walk every server declared in ~/.hermes/config.yaml under mcp_servers: and produce a structured report with risk flags.
Hermes has no per-server trust: levels or allow_sampling: knobs — the real controls are tool filtering (tools.include / tools.exclude), credential scoping (what you pass via env:), and operator review before install (Part 19, Layer 5). This audit checks exactly those.
Read the config. Load ~/.hermes/config.yaml and extract the mcp_servers: block. If the block is empty or missing, report "No MCP servers configured" and exit.
For each server, collect:
stdio if command: present, http if url: present)enabled: flag and timeout:tools.include / tools.exclude — present? how many tools locked in vs exposed?env: entries — which credentials this server receivesargs:), git URL, or HTTP originnpm view <pkg> time.modifiedgit -C <path> log -1 --format=%cIHEAD and grab Last-ModifiedRisk-flag each server:
/scrape|fetch|email|rss|crawl/i) AND has an empty tools.include (= all tools exposed) or write-capable tools included.env: passes a broad credential (e.g. an unscoped GITHUB_PERSONAL_ACCESS_TOKEN) to a server that reads attacker-influenced text (the Comment-and-Control pattern).tools.include on a server with > 10 tools exposed.${VAR} in env: is not set in ~/.hermes/.env (check key names only — never read values).enabled: true on a server the logs show unused for 30+ days — dead attack surface.Render a table. Columns: name, transport, enabled, tools-included / tools-exposed, credentials passed, last-update age, flags.
Summarize next steps. Group findings by flag color and recommend:
tools.include: to the specific read-only tools you audited; swap the credential for a scoped read-only one."npm update <pkg> or rebuild the git source; verify release notes."tools.include: with the specific tools you actually use."Offer to apply fixes. Ask the user if they'd like to:
tools.include: based on hermes logs usage historyenabled: false) servers unused for 30+ daysenv: flagged as broadNever auto-apply without confirmation.
Report as markdown. Paste into Telegram / Discord / dashboard as-is. Example:
## MCP Security Audit — 2026-06-17
### 🔴 HIGH (1)
- **random-scraper** — reads untrusted content with empty tools.include (`scrape_url`, `fetch_rss`, 12 more exposed)
### 🟡 MEDIUM (2)
- **postgres** — last updated 127 days ago (package @modelcontextprotocol/server-postgres)
- **github** — empty tools.include, 34 tools exposed
### 🟢 LOW (1)
- **filesystem** — enabled but no tool calls in 30 days
### Recommendations
1. Lock `random-scraper` to `tools.include: [read_docs]` and run it inside a sandbox.
2. `npm update @modelcontextprotocol/server-postgres`.
3. Scope `github` to the 6 tools actually used in last 30d.
cron.yaml to run weekly (see Part 19) — this skill is read-only, so approvals.cron_mode: deny won't block it.terminal to exec npm view / git log; uses file to read the config.Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
Build human-readable release notes from a range of commits or merged PRs
Weekly LLM cost breakdown by provider / gateway / skill, posted to private DM
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Run `hermes backup`, encrypt, upload to remote storage, prune old backups