Snyk's MCP scanner executes untrusted commands before analyzing them
Jonathan Santilli discovered that `snyk-agent-scan` v0.4.3 silently executes the very MCP server commands it's supposed to evaluate for safety, without user consent or sandboxing.
Score breakdown
Developers using any MCP security scanner should verify it does not silently execute the untrusted commands it is supposed to evaluate — the same attack surface the tool is meant to protect against.
- 01snyk-agent-scan v0.4.3 executes MCP server commands from an untrusted config file without showing the user what will run or asking for consent.
- 02The default flag `--suppress-mcpserver-io=True` hides the spawned process's stdout and stderr, making execution invisible to the user.
- 03A proof-of-concept malicious `mcp.json` using a `bash` command successfully exfiltrated hostname, username, and working directory while the scanner reported only 'could not start server'.
Jonathan Santilli reported a vulnerability in `snyk-agent-scan` v0.4.3, a Snyk tool that promises to evaluate whether an `mcp.json` configuration file is safe before an AI coding assistant loads it. The core problem: to enumerate the tools exposed by an MCP server, the scanner actually starts the server — meaning it executes the attacker-controlled command array found in the config file it was asked to scrutinize. It does this without displaying the command to the user, without requesting consent, and without any sandboxing or restriction. The default `--suppress-mcpserver-io=True` flag suppresses the spawned process's stdout and stderr, so the execution is invisible at the terminal level. The scanner then prints a generic "could not start server" message and continues, while any payload in the command has already run.
The callback server logged the hit; the scanner reported failure.
Santilli demonstrated the issue with a reproducible proof of concept requiring only `uv` and Python 3: a crafted `mcp.json` with a `bash` command that exfiltrates hostname, username, and current directory to a local callback server via `curl`. The callback server logged the hit; the scanner reported failure. He also noted that running the tool with zero arguments triggers auto-discovery of globally configured MCP servers — in his case `~/.cursor/mcp.json` — executes their commands, and transmits the collected tool descriptions to Snyk's analysis API at `invariantlabs.ai`, which he confirmed by receiving a `429 Too Many Requests` response. Snyk initially closed the report as accepted risk, drawing a parallel to the Snyk CLI, but after Santilli pushed back, they reopened it and committed to prompting before execution, surfacing server output, and updating their documentation. Santilli frames the broader issue as an industry-wide "execute first, ask never" posture in AI tooling that puts developers at risk.
Key facts
- 01snyk-agent-scan v0.4.3 executes MCP server commands from an untrusted config file without showing the user what will run or asking for consent.
- 02The default flag `--suppress-mcpserver-io=True` hides the spawned process's stdout and stderr, making execution invisible to the user.
- 03A proof-of-concept malicious `mcp.json` using a `bash` command successfully exfiltrated hostname, username, and working directory while the scanner reported only 'could not start server'.
- 04Running the scanner with no arguments triggers auto-discovery of globally configured MCP servers (e.g., `~/.cursor/mcp.json`) and executes their commands.
- 05