Compare

SmeltSec vs. MCP-Scan alone

MCP-Scan is one of the 16 scanners SmeltSec runs. Here's what SmeltSec adds beyond it.

MCP-Scan is an open-source tool for MCP-specific security — primarily tool poisoning detection and prompt injection in tool descriptions. SmeltSec runs it as part of Gate 2, plus 15 other scanners, plus quality scoring, monitoring, and config sync.

MCP-Scan

What MCP-Scan does well

+Tool poisoning detection across MCP tool definitions
+Prompt injection detection in tool metadata and descriptions
+Open source, MIT-licensed, free forever

SmeltSec

What SmeltSec adds

+SAST via Semgrep CE across the generated server code
+Secret scanning with Gitleaks on code and history
+Dependency CVEs via OSV-Scanner
+Behavioral analysis of tool call patterns
+6-dimension quality scoring (correctness, security, perf, maint, docs, tests)
+Automated patching for flagged vulnerabilities
+Multi-client config sync (Claude, Cursor, ChatGPT, Windsurf, VS Code)
+Cross-repo upstream monitoring with change alerts
+SBOM generation on every build
+Attestation signing for supply chain proof

Both

Open source friendly

MCP-Scan is MIT-licensed and free forever. SmeltSec uses it as one of 8 free tools, bundled with 8 more and a managed SaaS offering.

Get the free 8-tool scan

Start with the free tier. Upgrade when you need the full 16-scanner pipeline.