Vallarium

Vallarium MCP Security Scan

Prepared for: vulnerable-mcp  ·  Engine: vallarium-scan  ·  Generated: 2026-07-11 05:42 UTC

Static scan of MCP server 'vulnerable-mcp': 1 critical, 4 high across 7 tools, 1 resources, and 1 prompts. We reduce risk. We do not guarantee security.

Findings

SeverityFindingCategoryOpportunityBasis
CRITICAL Secret material exposed via resource 'app-env' secret-leak
HIGH Tool 'run_shell' can execute shell/OS commands over-broad-scope
HIGH Injected instructions in tool 'search_docs' description tool-poisoning
HIGH Colliding tool names: update-record, update_record tool-shadowing
HIGH Tool 'send_email' performs a privileged action on caller-controlled input confused-deputy

[CRITICAL] Secret material exposed via resource 'app-env'

Resource 'app-env' exposes what looks like real secrets (AWS access key id, OpenAI-style API key, credential assignment).

Evidence: Resource 'file:///srv/app/.env' matched: AWS access key id, OpenAI-style API key, credential assignment.

Recommendation: Never inline secrets in resources; use a secret store.

References: OWASP LLM Top 10: LLM02 Sensitive Information Disclosure

[HIGH] Tool 'run_shell' can execute shell/OS commands

'run_shell' exposes shell/OS execution to the agent. A single prompt injection anywhere upstream can turn into code execution.

Evidence: Tool 'run_shell' advertises shell/command execution.

Recommendation: Remove shell execution, or replace it with narrowly-scoped tools for the specific actions actually needed.

References: OWASP LLM Top 10: LLM06 Excessive Agency, MCP: over-privileged tool scope, MITRE ATLAS: LLM-enabled attack surface

[HIGH] Injected instructions in tool 'search_docs' description

The tool 'search_docs' description contains content aimed at the model rather than the human reader (invisible characters U+200B; injection phrases: 'ignore all previous', 'new instructions', 'do not mention', 'when you read this'). The agent reads this text.

Evidence: Tool 'search_docs' description carries hidden/injection content.

Recommendation: Reject tool/prompt metadata containing invisible characters or imperative instructions; pin and review server manifests before trusting them.

References: OWASP LLM Top 10: LLM01 Prompt Injection, MCP: tool-description poisoning, MITRE ATLAS: LLM-enabled attack surface

[HIGH] Colliding tool names: update-record, update_record

2 tools collapse to the same normalised name ('updaterecord'). One can shadow the other so the agent invokes the wrong one — a route to masquerading as a trusted tool.

Evidence: Tools ['update-record', 'update_record'] normalise to 'updaterecord'.

Recommendation: Enforce unique canonicalised tool names; reject collisions.

References: MCP: tool shadowing / name collision, OWASP LLM Top 10: LLM01 Prompt Injection, MITRE ATLAS: LLM-enabled attack surface

[HIGH] Tool 'send_email' performs a privileged action on caller-controlled input

'send_email' acts with the server's authority on a caller-supplied target/body with no advertised validation. The agent can be induced to use that authority on an attacker's behalf.

Evidence: Privileged tool 'send_email' takes caller input, unmediated.

Recommendation: Mediate the privileged action: validate/allowlist the target, require explicit confirmation, and constrain what the caller can supply.

References: OWASP LLM Top 10: LLM06 Excessive Agency, MCP: confused deputy, MITRE ATLAS: LLM-enabled attack surface

Blast-radius map

For each tool, the systems/data it can reach and the worst case if abused. Reach is inferred from the tool's advertised name, description, and parameters.

ToolReachWorst case if abused
run_shellshell/OS executionarbitrary code execution on the host.
search_docsdatabaseread/modify of arbitrary records.
update_recordno privileged reach detected.
update-recordno privileged reach detected.
send_emailemail/messagingmessages sent from the org under its identity.
get_timeno privileged reach detected.
pingno privileged reach detected.

Scope of assessment

This assessment enumerated 7 tools, 1 resources, and 1 prompts, and analysed their advertised metadata. Resource contents were read. Active probing was NOT performed (static scan only). The scanner reports only what is detectable from advertised metadata and safe static analysis; the absence of a finding is not proof of safety.

Methodology

Checks run: over-broad tool scope (least privilege), tool-description poisoning (hidden/injection content), tool shadowing (name collisions), confused-deputy exposure, and secret/sensitive-resource disclosure. Findings map to the OWASP LLM Top 10 and MCP-specific classes. Each finding carries the evidence it was raised on; no finding is raised without evidence.

Audit checklist

✓ = assessed on the supplied data; — = not assessable from what was provided.

Checklist item
Tools, resources, and prompts enumerated
Over-broad tool scope (least privilege) checked
Tool-description poisoning checked
Tool shadowing / name collisions checked
Confused-deputy exposure checked
Secret / sensitive-resource disclosure checked
Resource contents read for secret scanning
Blast-radius mapped per tool

We reduce risk. We do not guarantee security.