ai security

Auditing MCP Servers for Tool Poisoning

Scan Model Context Protocol servers and tool metadata for poisoning, SSRF, and unauthenticated exposure.

agent-securityai-securitymcpmcp-scanrug-pullssrfsupply-chaintool-poisoning
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Authorized-use-only notice: Auditing MCP servers can connect to and probe live tool endpoints. Only scan servers you own or are authorized to assess. Treat scanned tool descriptions as untrusted input — do not load an unaudited MCP server into a privileged agent. Probing third-party MCP endpoints for SSRF or auth weaknesses without permission may be illegal.

Overview

The Model Context Protocol (MCP) lets AI agents discover and call external tools advertised by MCP servers. Each tool exposes a name and a natural-language description that the agent's LLM reads before deciding to call it. In early 2025, Invariant Labs disclosed that this description field is an attack surface: a malicious server can embed hidden instructions in a tool's description (a tool poisoning attack, OWASP MCP03:2025), and a capable model will silently follow them — exfiltrating files, leaking secrets, or redirecting tool calls — while returning a normal-looking response to the user. Because tool descriptions are loaded into the agent's context, tool poisoning is effectively indirect prompt injection delivered through the supply chain (MITRE ATLAS AML.T0010 ML Supply Chain Compromise).

Beyond poisoning, MCP servers introduce classic infrastructure risks: tool shadowing (a malicious server overrides a trusted tool's behavior), rug pulls (a tool's description changes after the user approved it), toxic flows (a combination of tools that enables data exfiltration), SSRF in tools that fetch URLs server-side, and unauthenticated exposure of MCP servers bound to network interfaces. This skill audits MCP servers end-to-end using Invariant Labs' mcp-scan for static and runtime analysis, plus manual checks for SSRF and authentication, and tool pinning to catch rug pulls.

When to Use

  • Before adding a new MCP server to an agent stack (Claude Desktop, Cursor, VS Code, Windsurf, custom agents).
  • During a security review of an internally developed MCP server.
  • When validating that approved tools have not silently changed (rug-pull detection).
  • As a CI/CD gate that scans MCP configs and SKILL/tool definitions on every change.
  • During incident response when an agent took unexpected actions consistent with a poisoned tool.

Prerequisites

  • Python 3.10+ and uv (for uvx), or pip.
  • The MCP config file(s) you want to scan (e.g. ~/.cursor/mcp.json, ~/.vscode/mcp.json, Claude Desktop config).
  • Install the tooling:
# uv provides uvx (recommended runner for mcp-scan)
curl -LsSf https://astral.sh/uv/install.sh | sh    # or: pipx install uv
 
# mcp-scan (Invariant Labs) — no global install needed with uvx
uvx mcp-scan@latest --help
 
# For the runtime proxy mode (separate extra)
uvx --with "mcp-scan[proxy]" mcp-scan@latest proxy --help
 
# Manual probing helpers
pip install requests mcp

Objectives

  • Statically scan all installed MCP servers for tool poisoning, shadowing, rug pulls, and toxic flows.
  • Inspect raw tool/prompt/resource descriptions for hidden or obfuscated instructions.
  • Pin tool hashes to detect post-approval description changes (rug-pull defense).
  • Test URL-fetching tools for server-side request forgery (SSRF).
  • Verify MCP servers are authenticated and not exposed on untrusted interfaces.
  • Optionally enforce runtime guardrails with the mcp-scan proxy.

MITRE ATT&CK Mapping

ID Official Name Relevance
AML.T0010 ML Supply Chain Compromise A poisoned third-party MCP server is a supply-chain compromise of the agent
AML.T0051.001 LLM Prompt Injection: Indirect Poisoned tool descriptions are indirect injection into the agent context
AML.T0053 LLM Plugin Compromise MCP tools are the agent's plugins; poisoning compromises them
AML.T0057 LLM Data Leakage Common payload of a poisoned tool: exfiltrate files/secrets

Workflow

1. Static scan of installed MCP configs

mcp-scan auto-discovers known config locations; you can also pass a path explicitly.

# Scan all auto-discovered MCP configs
uvx mcp-scan@latest
 
# Scan a specific config file
uvx mcp-scan@latest ~/.vscode/mcp.json
 
# Emit machine-readable JSON for CI
uvx mcp-scan@latest --json ~/.cursor/mcp.json > mcp_scan_report.json

mcp-scan flags tool poisoning, tool shadowing, cross-origin escalation, rug pulls, and toxic flows.

2. Inspect raw tool descriptions

Print every tool/prompt/resource description without verification, then read them for hidden instructions, <important>-style blocks, or imperative text aimed at the model.

uvx mcp-scan@latest inspect ~/.cursor/mcp.json

Look for red flags: instructions to the assistant ("do not tell the user", "read ~/.ssh/id_rsa"), nested fake documentation, zero-width/Unicode-smuggled text, or directives to call other tools.

3. Pin tool hashes to detect rug pulls

mcp-scan tracks tool description hashes so a later silent change is flagged. Run scans on a schedule; a hash mismatch on a previously approved tool indicates a rug pull.

# Re-run regularly; mcp-scan reports changed tool hashes since last approval
uvx mcp-scan@latest ~/.cursor/mcp.json

4. Enumerate tools programmatically and audit metadata

Connect to the server with the official MCP SDK and inspect the advertised schema directly.

# enumerate_tools.py (stdio MCP server example)
import asyncio
from mcp import ClientSession, StdioServerParameters
from mcp.client.stdio import stdio_client
 
async def main():
    params = StdioServerParameters(command="node", args=["./suspect-mcp-server.js"])
    async with stdio_client(params) as (read, write):
        async with ClientSession(read, write) as session:
            await session.initialize()
            tools = await session.list_tools()
            for t in tools.tools:
                print(f"{t.name}: {len(t.description or '')} chars")
                print((t.description or "")[:400])
 
asyncio.run(main())

5. Test URL-fetching tools for SSRF

If a tool accepts a URL and fetches it server-side, attempt to reach internal metadata/loopback targets (only on systems you own).

# ssrf_probe.py
import asyncio
from mcp import ClientSession, StdioServerParameters
from mcp.client.stdio import stdio_client
 
SSRF_TARGETS = [
    "http://169.254.169.254/latest/meta-data/",   # AWS IMDS
    "http://127.0.0.1:22/", "http://localhost:6379/", "file:///etc/passwd",
]
 
async def main():
    params = StdioServerParameters(command="node", args=["./suspect-mcp-server.js"])
    async with stdio_client(params) as (r, w):
        async with ClientSession(r, w) as s:
            await s.initialize()
            for url in SSRF_TARGETS:
                res = await s.call_tool("fetch_url", {"url": url})
                body = str(res.content)[:200]
                print(f"[SSRF?] {url} -> {body}")
 
asyncio.run(main())

6. Verify authentication and network exposure

Check that remote MCP servers (HTTP/SSE transport) require authentication and are not bound to 0.0.0.0 on untrusted networks.

# Confirm whether an SSE/HTTP MCP endpoint responds without credentials
curl -s -i http://mcp-host:8000/sse | head -n 20
 
# Check listening interfaces of a locally running MCP server
ss -tlnp | grep -E ':(8000|3000|6277)'

An MCP endpoint that returns tool listings or accepts tools/call without auth is unauthenticated exposure — remediate with a token/OAuth and bind to localhost or an authenticated gateway.

7. Enforce runtime guardrails (optional)

For continuous protection, route agent MCP traffic through the mcp-scan proxy, which checks tool calls, data-flow constraints, PII, and indirect injection in real time.

uvx --with "mcp-scan[proxy]" mcp-scan@latest proxy

8. Report findings

Document each finding with server, tool, evidence (the poisoned description / SSRF response / unauth listing), severity, and ATLAS mapping. Recommend removing or sandboxing poisoned servers, adding auth, pinning approved tools, and enabling the proxy.

Tools and Resources

Tool Purpose Source
mcp-scan Static + runtime MCP security scanner https://github.com/invariantlabs-ai/mcp-scan
MCP Python SDK Programmatic tool enumeration / calls https://github.com/modelcontextprotocol/python-sdk
OWASP MCP Top 10 MCP risk reference (MCP03 Tool Poisoning) https://owasp.org/www-project-mcp-top-10/
Invariant Labs blog Tool poisoning disclosure https://invariantlabs.ai/blog/introducing-mcp-scan
MITRE ATLAS AI threat technique taxonomy https://atlas.mitre.org/

MCP Threat Reference

Threat Description Detection
Tool poisoning Hidden instructions in tool description mcp-scan scan / inspect
Tool shadowing Malicious server overrides trusted tool mcp-scan cross-origin checks
Rug pull Description changes after approval mcp-scan tool pinning (hash)
Toxic flow Tool combo enabling exfiltration mcp-scan toxic-flow analysis
SSRF URL-fetch tool reaches internal targets ssrf_probe against owned server
Unauth exposure MCP endpoint with no auth curl/ss interface and auth check

Validation Criteria

  • All installed MCP configs statically scanned with mcp-scan
  • Raw tool/prompt/resource descriptions inspected for hidden instructions
  • Tool hashes pinned and rug-pull detection enabled
  • Tools enumerated programmatically via the MCP SDK
  • URL-fetching tools tested for SSRF against owned targets
  • Authentication and network exposure of remote servers verified
  • Runtime proxy guardrails evaluated or deployed where appropriate
  • Findings mapped to MITRE ATLAS AML.T0010 and OWASP MCP03:2025
  • Severity assigned and remediation documented for each finding
  • Re-scan scheduled to catch future rug pulls
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md2.2 KB

API Reference — MCP Server Auditing

mcp-scan CLI (Invariant Labs)

Run via uvx (no global install): uvx mcp-scan@latest

Command Description
mcp-scan / mcp-scan scan [config] Statically scan MCP configs for poisoning, shadowing, rug pulls, toxic flows
mcp-scan inspect [config] Print tool/prompt/resource descriptions without verification
mcp-scan proxy Runtime proxy: monitor and guardrail MCP traffic (requires [proxy] extra)
--json Emit machine-readable JSON report

Examples:

uvx mcp-scan@latest ~/.vscode/mcp.json
uvx mcp-scan@latest inspect ~/.cursor/mcp.json
uvx --with "mcp-scan[proxy]" mcp-scan@latest proxy

mcp-scan features: tool pinning (hash-based rug-pull detection), cross-origin escalation checks, toxic-flow analysis.

MCP Python SDK

Install: pip install mcp

API Description
StdioServerParameters(command, args) Define a stdio MCP server to launch
stdio_client(params) Async context manager yielding (read, write) streams
ClientSession(read, write) MCP client session
session.initialize() Perform MCP handshake
session.list_tools() Return advertised tools (.tools[].name, .description, .inputSchema)
session.list_prompts() List advertised prompts
session.list_resources() List advertised resources
session.call_tool(name, args) Invoke a tool (use for SSRF probing on owned servers)

Common MCP config locations

Client Path
Cursor ~/.cursor/mcp.json
VS Code ~/.vscode/mcp.json
Claude Desktop ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)

SSRF probe targets (owned systems only)

Target Purpose
http://169.254.169.254/latest/meta-data/ AWS instance metadata (IMDS)
http://metadata.google.internal/ GCP metadata
http://127.0.0.1:<port>/ Loopback services
file:///etc/passwd Local file disclosure

External References

standards.md1.5 KB

Standards and References — Auditing MCP Servers for Tool Poisoning

MITRE ATLAS References

Technique ID Name Tactic Rationale
AML.T0010 ML Supply Chain Compromise Initial Access A poisoned third-party MCP server compromises the agent supply chain
AML.T0051.001 LLM Prompt Injection: Indirect Initial Access Poisoned tool descriptions are indirect injection into agent context
AML.T0053 LLM Plugin Compromise Execution MCP tools are the agent's plugins; poisoning compromises them
AML.T0057 LLM Data Leakage Exfiltration Poisoned tools commonly exfiltrate files/secrets

NIST AI RMF References

ID Name Rationale
MANAGE-2.2 Mechanisms are in place and applied to sustain the value of deployed AI systems Auditing third-party MCP tools manages/sustains safe agent operation

OWASP MCP Top 10 (2025)

ID Name Rationale
MCP03:2025 Tool Poisoning Primary risk this skill audits
MCP01:2025 Prompt Injection Poisoned descriptions inject the agent

Official Resources

Scripts 1

agent.py5.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
# For authorized MCP server auditing only. Do not scan servers you do not control
# or lack written permission to assess.
"""MCP tool-poisoning audit agent.

Two modes:
  static  -- run Invariant Labs mcp-scan over an MCP config and parse results,
             plus a local heuristic scan of tool descriptions in the config.
  enum    -- launch a stdio MCP server, enumerate tools, and heuristically flag
             poisoned descriptions (hidden instructions, smuggled unicode).

Examples:
  python agent.py static --config ~/.cursor/mcp.json
  python agent.py enum --command node --args ./suspect-mcp-server.js
"""
import argparse
import json
import re
import shutil
import subprocess
import sys
from datetime import datetime, timezone

# Heuristics for instructions aimed at the assistant inside a tool description.
POISON_PATTERNS = [
    r"do not (tell|inform|mention to) the user",
    r"ignore (previous|prior|all) instructions",
    r"<important>|<system>|\[system\]",
    r"read .*(\.ssh|id_rsa|\.env|credentials|passwd)",
    r"(send|exfiltrate|post) .* to https?://",
    r"before (using|calling) (this|any) tool,? (you must|always)",
    r"call (the )?\w+ tool (first|before)",
]
SMUGGLE = re.compile(r"[​-‏‪-‮⁠-\U000e0000-\U000e007f]")


def heuristic_flags(description: str):
    flags = []
    low = (description or "").lower()
    for pat in POISON_PATTERNS:
        if re.search(pat, low):
            flags.append(f"pattern:{pat}")
    if SMUGGLE.search(description or ""):
        flags.append("unicode-smuggling")
    if len(description or "") > 1500:
        flags.append("oversized-description")
    return flags


def run_static(args):
    findings = {"ts": datetime.now(timezone.utc).isoformat(),
                "config": args.config, "atlas": "AML.T0010", "scanner": None,
                "heuristic": []}

    # 1. Invoke mcp-scan if available
    runner = shutil.which("uvx") or shutil.which("mcp-scan")
    if runner:
        cmd = ([runner, "mcp-scan@latest", "--json", args.config]
               if "uvx" in runner else [runner, "--json", args.config])
        try:
            res = subprocess.run(cmd, capture_output=True, text=True, timeout=240)
            try:
                findings["scanner"] = json.loads(res.stdout)
            except json.JSONDecodeError:
                findings["scanner"] = {"raw": res.stdout[:4000], "stderr": res.stderr[:1000]}
        except subprocess.TimeoutExpired:
            findings["scanner"] = {"error": "mcp-scan timed out"}
    else:
        findings["scanner"] = {"error": "uvx/mcp-scan not found; install uv: "
                                        "curl -LsSf https://astral.sh/uv/install.sh | sh"}

    # 2. Local heuristic scan of any descriptions embedded in the config
    try:
        with open(args.config, encoding="utf-8") as fh:
            cfg = json.load(fh)
        for desc in _walk_descriptions(cfg):
            f = heuristic_flags(desc)
            if f:
                findings["heuristic"].append({"flags": f, "snippet": desc[:200]})
    except (OSError, json.JSONDecodeError) as exc:
        findings["heuristic"].append({"error": str(exc)})

    print(json.dumps(findings, indent=2))
    return findings


def _walk_descriptions(obj):
    """Yield any 'description' string values found anywhere in a nested config."""
    if isinstance(obj, dict):
        for k, v in obj.items():
            if k == "description" and isinstance(v, str):
                yield v
            else:
                yield from _walk_descriptions(v)
    elif isinstance(obj, list):
        for item in obj:
            yield from _walk_descriptions(item)


def run_enum(args):
    try:
        import asyncio
        from mcp import ClientSession, StdioServerParameters
        from mcp.client.stdio import stdio_client
    except ImportError:
        print("Install: pip install mcp", file=sys.stderr)
        sys.exit(1)

    async def _enum():
        params = StdioServerParameters(command=args.command, args=args.args or [])
        out = {"ts": datetime.now(timezone.utc).isoformat(),
               "server": f"{args.command} {' '.join(args.args or [])}",
               "atlas": "AML.T0010", "tools": []}
        async with stdio_client(params) as (r, w):
            async with ClientSession(r, w) as s:
                await s.initialize()
                tools = await s.list_tools()
                for t in tools.tools:
                    flags = heuristic_flags(t.description or "")
                    out["tools"].append({
                        "name": t.name,
                        "desc_len": len(t.description or ""),
                        "flags": flags,
                        "verdict": "POISONED?" if flags else "clean",
                    })
        print(json.dumps(out, indent=2))
        return out

    try:
        asyncio.run(_enum())
    except Exception as exc:  # connection/protocol errors
        print(f"[!] MCP enumeration failed: {exc}", file=sys.stderr)
        sys.exit(2)


def main():
    ap = argparse.ArgumentParser(description="MCP tool-poisoning audit agent")
    sub = ap.add_subparsers(dest="mode", required=True)

    ps = sub.add_parser("static", help="Run mcp-scan + heuristic scan on a config")
    ps.add_argument("--config", required=True, help="Path to MCP config JSON")

    pe = sub.add_parser("enum", help="Enumerate tools from a stdio MCP server")
    pe.add_argument("--command", required=True, help="Server launch command, e.g. node")
    pe.add_argument("--args", nargs="*", help="Arguments to the server command")

    args = ap.parse_args()
    if args.mode == "static":
        run_static(args)
    else:
        run_enum(args)


if __name__ == "__main__":
    main()
Keep exploring