Results: 66 passed (90%). 5 had configuration warnings. 2 failed with real security-relevant patterns in their tool handlers.
The two failures are instructive:
telegram-mcp scored F with 12 findings. Its send_photo, send_video, and send_document tools accept a file_path parameter with zero path validation and no directory allowlist. An LLM could call send_photo(chat, "/etc/passwd") and the server would attempt to send it. It also runs HTTP endpoints with verbose error output.
mcp-sqlite-server scored F with 9 findings. It passes user-provided SQL to conn.execute() with a startswith("select") guard. Python's sqlite3 blocks multi-statement execution, so DROP TABLE isn't possible — but single-statement bypasses work: UNION-based schema extraction, pragma metadata access, and potentially load_extension(). A guard that looks restrictive but isn't creates false confidence. It also runs SSE on 0.0.0.0:8000 over plain HTTP with debug logging enabled.
Both are community-maintained projects doing useful things. But the patterns they contain — unrestricted file access, raw SQL execution with insufficient guards — are exactly the kind of thing that should get caught before deployment.
Sigil reads MCP server source code (TypeScript and Python), finds tool handler registrations, and detects dangerous patterns with 16 rules. It does pattern analysis with tool-handler scoping — it only flags code within actual MCP tool contexts, not build scripts or utilities.
We notified both maintainers before publishing.
npx @sigildev/sigil .
MIT licensed. No account. GitHub: https://github.com/sigildev/sigil