Static scan of MCP server 'vulnerable-mcp': 1 critical, 4 high across 7 tools, 1 resources, and 1 prompts. We reduce risk. We do not guarantee security.
| Severity | Finding | Category | Opportunity | Basis |
|---|---|---|---|---|
| CRITICAL | Secret material exposed via resource 'app-env' | secret-leak | — | — |
| HIGH | Tool 'run_shell' can execute shell/OS commands | over-broad-scope | — | — |
| HIGH | Injected instructions in tool 'search_docs' description | tool-poisoning | — | — |
| HIGH | Colliding tool names: update-record, update_record | tool-shadowing | — | — |
| HIGH | Tool 'send_email' performs a privileged action on caller-controlled input | confused-deputy | — | — |
Resource 'app-env' exposes what looks like real secrets (AWS access key id, OpenAI-style API key, credential assignment).
Evidence: Resource 'file:///srv/app/.env' matched: AWS access key id, OpenAI-style API key, credential assignment.
Recommendation: Never inline secrets in resources; use a secret store.
'run_shell' exposes shell/OS execution to the agent. A single prompt injection anywhere upstream can turn into code execution.
Evidence: Tool 'run_shell' advertises shell/command execution.
Recommendation: Remove shell execution, or replace it with narrowly-scoped tools for the specific actions actually needed.
The tool 'search_docs' description contains content aimed at the model rather than the human reader (invisible characters U+200B; injection phrases: 'ignore all previous', 'new instructions', 'do not mention', 'when you read this'). The agent reads this text.
Evidence: Tool 'search_docs' description carries hidden/injection content.
Recommendation: Reject tool/prompt metadata containing invisible characters or imperative instructions; pin and review server manifests before trusting them.
2 tools collapse to the same normalised name ('updaterecord'). One can shadow the other so the agent invokes the wrong one — a route to masquerading as a trusted tool.
Evidence: Tools ['update-record', 'update_record'] normalise to 'updaterecord'.
Recommendation: Enforce unique canonicalised tool names; reject collisions.
'send_email' acts with the server's authority on a caller-supplied target/body with no advertised validation. The agent can be induced to use that authority on an attacker's behalf.
Evidence: Privileged tool 'send_email' takes caller input, unmediated.
Recommendation: Mediate the privileged action: validate/allowlist the target, require explicit confirmation, and constrain what the caller can supply.
For each tool, the systems/data it can reach and the worst case if abused. Reach is inferred from the tool's advertised name, description, and parameters.
| Tool | Reach | Worst case if abused |
|---|---|---|
| run_shell | shell/OS execution | arbitrary code execution on the host. |
| search_docs | database | read/modify of arbitrary records. |
| update_record | — | no privileged reach detected. |
| update-record | — | no privileged reach detected. |
| send_email | email/messaging | messages sent from the org under its identity. |
| get_time | — | no privileged reach detected. |
| ping | — | no privileged reach detected. |
This assessment enumerated 7 tools, 1 resources, and 1 prompts, and analysed their advertised metadata. Resource contents were read. Active probing was NOT performed (static scan only). The scanner reports only what is detectable from advertised metadata and safe static analysis; the absence of a finding is not proof of safety.
Checks run: over-broad tool scope (least privilege), tool-description poisoning (hidden/injection content), tool shadowing (name collisions), confused-deputy exposure, and secret/sensitive-resource disclosure. Findings map to the OWASP LLM Top 10 and MCP-specific classes. Each finding carries the evidence it was raised on; no finding is raised without evidence.
✓ = assessed on the supplied data; — = not assessable from what was provided.
| Checklist item | |
|---|---|
| ✓ | Tools, resources, and prompts enumerated |
| ✓ | Over-broad tool scope (least privilege) checked |
| ✓ | Tool-description poisoning checked |
| ✓ | Tool shadowing / name collisions checked |
| ✓ | Confused-deputy exposure checked |
| ✓ | Secret / sensitive-resource disclosure checked |
| ✓ | Resource contents read for secret scanning |
| ✓ | Blast-radius mapped per tool |
We reduce risk. We do not guarantee security.