For Postman Agent ModeRogue MCP Server Detection
& API Security Testing
Rogue MCP audits local MCP servers to expose supply-chain risks and excessive privileges, then runs safe, passive API security testing on Postman collections to find auth gaps and data leaks. Agent-native security, minus the drama.
Key Features
Security checks run conversationally inside Agent Mode—no separate tools, proxies, or configuration required.
MCP Security Scanner
Audits all installed MCP servers (Postman, Cursor, VS Code, Claude, etc.). Verifies provenance against Postman's trusted MCP registry.
API Security Testing
Analyzes Postman collections and OpenAPI specs. No attack payloads, no traffic replay, no production risk. Runtime ~2–3 minutes.
LLM-Assisted Findings
Summarized risks, explanations, and remediation guidance. Designed for developers, not security specialists.
God-Mode Detection
Flags MCPs with unrestricted filesystem access, arbitrary command execution, and full user permissions.
Lockfile Generation
Generates a locked-down mcp.json + lockfile with pinned versions, hashes, and allowlist for secure deployments.
Agent-Native UX
Local MCP over STDIO, fully compatible with Postman Agent Mode. Security checks run conversationally inside your workflow.
Types of Issues Detected
Comprehensive security scanning for both MCP servers and API endpoints
MCP Security Scanner
- Full filesystem access and credential exposure risk
- SSH, cloud credential, and browser data access
- Arbitrary command execution ("god-mode" MCPs)
- Unpinned or drifting dependencies
- Suspicious network behavior and package provenance gaps
API Security Testing
- API key and secret leaks
- Missing or weak authentication
- Over-permissive endpoints
- Schema violations and drift
- Sensitive data exposure
- Basic BOLA / BOPLA indicators
How It Works
Register & Subscribe
Sign up for $5/month to get full access to the Rogue MCP Server.
Configure in Postman
Add the Rogue MCP Server to your Postman Agent Mode configuration.
Run Security Checks
Use natural language in Agent Mode to scan MCPs and test API security—no extra tools needed.
CLI Usage & Commands
Run without arguments to start as an MCP server (stdio transport), or use CLI commands directly.
Usage as MCP Server
Run without arguments to start as an MCP server (stdio transport). The server provides scan, audit, fix, and export tools.
npx rogue-mcp@latestQuick CLI Commands
npx rogue-mcp@latest rogue # Rogue MCP Mode - Analyze blast radius of running privilegesnpx rogue-mcp@latest analyze-collection # Upload and analyze a Postman collection for API security vulnerabilitiesSimple, Transparent Pricing
Unlock full access for API Security Testing by signing up for a $5 paid subscription.
400 credits included for LLM-based API Security Testing.
Credits are only consumed for API Security Testing for Postman Collections.
You can always switch later to another plan with more monthly credits.