MCP security scanner targets trust boundary, not just prompt injection
Author manja316 argues that MCP's real vulnerability is what server-side tool handlers do with injected arguments — not the injection itself — and built a scanner that detects 21 classic vulnerability patterns across 5 languages in MCP server code.
Score breakdown
The post reframes MCP defense away from input filtering toward hardening server-side handlers, arguing that a safe handler is a structural wall while input filtering is only a sieve — a distinction that changes where security effort should be concentrated.
- 01The post argues the real MCP vulnerability is what server-side tool handlers do with arguments, not the prompt injection that delivers them.
- 02The dangerous chain described is: untrusted input → model convinced → tool call fires → server-side code executes on the host machine.
- 03The scanner detects 21 vulnerability patterns across Python, Java, Go, C++, and Rust.
Manja316 argues that the MCP security conversation is focused on the wrong layer. Prompt injection is only the first step; the actual damage occurs at the trust boundary — the moment an injected instruction becomes a real tool call executing with the host machine's privileges. Because an MCP server is, by design, code that an LLM is allowed to invoke, a vulnerable server-side handler effectively turns the model into a remote-code-execution courier, behaving exactly as designed while doing so. The post frames most MCP security as classic appsec — 20-year-old bug classes that are newly reachable through a model rather than through a trusted caller.
The scanner ships as an MCP server itself with three tools — `audit_repo`, `audit_code`, and `list_patterns` — and is installable via `pip install mcp-security-audit`.
The vulnerability patterns the scanner targets are ranked by severity: `eval()`/`exec()`/`os.system()` on tool arguments (CRITICAL), `subprocess(..., shell=True)` and `Runtime.exec` string concatenation (HIGH), unsafe deserialization via `pickle.load`, `torch.load`, or `ObjectInputStream` (HIGH), `yaml.load()` without `SafeLoader` (HIGH), string-concatenated SQL queries (HIGH), URL-concatenation in fetch tools leading to SSRF (MEDIUM), and hardcoded API keys in server source (MEDIUM). The scanner ships as an MCP server itself with three tools — `audit_repo`, `audit_code`, and `list_patterns` — and is installable via `pip install mcp-security-audit`. Running inside Claude Desktop, it allows an agent to audit a repo before wiring it in.
A central design concern is purpose-aware scoring: a `subprocess(shell=True)` call in a CI helper that never touches model input is a low-priority note, while the same call wired to a tool argument is rated CRITICAL. The post acknowledges two open gaps in the current design — path traversal in file-serving tools and SSRF in fetch-style tools — where determining whether a call is malicious is described as genuinely ambiguous. Full taint analysis proving argument flow into dangerous sinks is noted as a future improvement not yet built.
Key facts
- 01The post argues the real MCP vulnerability is what server-side tool handlers do with arguments, not the prompt injection that delivers them.
- 02The dangerous chain described is: untrusted input → model convinced → tool call fires → server-side code executes on the host machine.
- 03The scanner detects 21 vulnerability patterns across Python, Java, Go, C++, and Rust.
- 04Severity ratings range from CRITICAL (`eval()`/`exec()` on tool arguments) to HIGH (unsafe deserialization, `yaml.load()` without SafeLoader, shell injection) to MEDIUM (SSRF, hardcoded credentials).
- 05The scanner uses purpose-aware scoring: the same pattern is rated differently based on whether it is reachable by model input.
- 06It ships as an MCP server with three tools: `audit_repo`, `audit_code`, and `list_patterns`, installable via `pip install mcp-security-audit`.
- 07The post identifies path traversal in file-serving tools and SSRF in fetch-style tools as the two pattern families the author is least confident the scanner covers well.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 20, 2026 · 08:55 UTC. How this works →