Security assessment of Model Context Protocol servers and tools: tool-poisoning, prompt injection via tool output, authz scoping, and unsafe capability exposure.
68 checks · progress and notes saved in your browser
The model reads tool names, descriptions, and JSON schemas as trusted instructions. Assess whether those definitions can be weaponised, mutated after approval, shadowed by other servers, or over-scoped.
Attacker-controlled content that reaches the model via tool output, resources, or files can hijack the agent. Assess indirect prompt injection, resource poisoning, and confused-deputy conditions across the MCP boundary.
Assess how MCP servers authenticate clients/users, how OAuth scopes and tokens are handled, whether tools are scoped to least privilege, and whether tokens are dangerously passed through to upstream services.
Assess the transport layer (stdio vs SSE/Streamable HTTP, TLS, local exposure) and classic server-side weaknesses — command injection, SSRF, and supply-chain risk from installing untrusted servers.
Assess how sensitive data can leave the system through tools, leak into server logs, or escape weak sandboxing of the server's file and network access.