MCPScan Security Assessment
Sample Launch Audit
The target achieved grade F with 13 open findings across 22 checks. 5 critical or high severity items should be remediated before production use or buyer acceptance.
Executive Summary
Assessment Details
Severity Counts
Remediation Priority
- CRITICAL: Command injection via tool arguments
Avoid passing user input to shells. Use fixed command allowlists, structured argument arrays, strict enums, and per-command sandboxing. - HIGH: Bearer token validation
Validate bearer/API tokens on every request, reject missing/expired/invalid tokens, and avoid bypass flags in production MCP servers. - HIGH: SQL injection via tool arguments
Expose narrow query operations, use parameterized statements, validate filter fields against allowlists, and avoid accepting raw SQL from callers. - HIGH: Path traversal via file-related tools
Resolve paths against an approved workspace root, reject '..' segments and absolute paths, and enforce schema patterns or enums for allowed locations. - HIGH: Excessive tool permissions
Run tools with least privilege, narrow filesystem and network scopes, separate read/write/admin capabilities, and require explicit approval for destructive actions.
Auditor Notes
This sample report uses an intentionally risky fixture to demonstrate the paid audit deliverable.
Findings
1. Command injection via tool arguments
A tool appears to accept command or shell-like input from callers.
Evidence: Tool "run_shell" matched command execution heuristics.
Recommended remediation: Avoid passing user input to shells. Use fixed command allowlists, structured argument arrays, strict enums, and per-command sandboxing.
References: OWASP Command Injection, OWASP MCP Top 10: unsafe tool input, CWE-78: OS Command Injection
2. Bearer token validation
Bearer/API token validation could not be confirmed for the target.
Evidence: No bearer token, API key, OAuth, or authorization validation hints found.
Recommended remediation: Validate bearer/API tokens on every request, reject missing/expired/invalid tokens, and avoid bypass flags in production MCP servers.
References: OWASP MCP Top 10: authentication and authorization failures, NSA MCP security advisory: access control guidance, CWE-287: Improper Authentication
3. SQL injection via tool arguments
A database-oriented tool appears to accept raw SQL or query fragments.
Evidence: Tool "db_query" matched SQL injection heuristics.
Recommended remediation: Expose narrow query operations, use parameterized statements, validate filter fields against allowlists, and avoid accepting raw SQL from callers.
References: OWASP SQL Injection Prevention Cheat Sheet, CWE-89: SQL Injection, OWASP MCP Top 10: unsafe tool input
4. Path traversal via file-related tools
A file-related tool accepts caller-controlled paths without visible schema constraints.
Evidence: Tool "read_file" matched file path traversal heuristics.
Recommended remediation: Resolve paths against an approved workspace root, reject '..' segments and absolute paths, and enforce schema patterns or enums for allowed locations.
References: OWASP Path Traversal, CWE-22: Improper Limitation of a Pathname, OWASP MCP Top 10: unsafe tool input
5. Excessive tool permissions
The target appears to request broad tool or process permissions.
Evidence: Tool "run_shell" matched excessive permission heuristics.
Recommended remediation: Run tools with least privilege, narrow filesystem and network scopes, separate read/write/admin capabilities, and require explicit approval for destructive actions.
References: Principle of Least Privilege, CWE-250: Execution with Unnecessary Privileges, OWASP MCP Top 10: excessive permissions
6. Session fixation and token reuse
The configuration suggests static, shared, or reusable session/token material.
Evidence: Matched pattern \bsession[_-]?id["']?\s*[:=]\s*["']?(default|static|shared|test|demo|admin|changeme)\b
Recommended remediation: Issue per-client sessions, rotate tokens, bind sessions to authenticated principals, and avoid shared/static MCP client credentials.
References: OWASP MCP Top 10: authentication and authorization failures, CWE-384: Session Fixation, CWE-613: Insufficient Session Expiration
7. Argument type confusion or oversized input risk
A tool schema allows ambiguous or potentially oversized arguments.
Evidence: Tool "submit_payload" has missing, free-form, or unbounded argument constraints.
Recommended remediation: Declare explicit JSON Schema types, reject unknown object keys, and add maxLength, maxItems, numeric bounds, or enums for caller-controlled fields.
References: JSON Schema Validation, OWASP Input Validation Cheat Sheet, CWE-20: Improper Input Validation
8. Excessive data exposure
A tool appears able to return broad or unredacted datasets.
Evidence: Tool "db_query" matched excessive output heuristics.
Recommended remediation: Return the minimum fields needed, paginate large results, enforce caller authorization, and redact secrets or personal data before responding.
References: OWASP API Security: Excessive Data Exposure, CWE-200: Exposure of Sensitive Information, OWASP MCP Top 10: sensitive information disclosure
9. Stdio process isolation
A local/stdio-style server exposes high-impact capabilities without visible isolation hints.
Evidence: Tool "run_shell" matched high-impact capability heuristics and no sandbox/container/read-only/no-network hint was found.
Recommended remediation: Run stdio MCP servers in a sandbox/container, restrict filesystem paths, disable network where unnecessary, and split high-impact tools into separate least-privilege servers.
References: NSA MCP security advisory: sandboxing and least privilege, OWASP MCP Top 10: excessive permissions, CWE-250: Execution with Unnecessary Privileges
10. Shadow tools heuristic
A tool appears to present itself as a trusted replacement or clone.
Evidence: Tool "github_official_sync" matched trusted-brand plus replacement-language heuristics.
Recommended remediation: Use clear vendor-neutral names, verify package provenance, avoid impersonating official tools, and pin trusted server identities in client configuration.
References: OWASP MCP Top 10: tool poisoning and shadowing, SLSA: Package provenance, CWE-353: Missing Support for Integrity Check
11. Tool name collision
Two tools have names that normalize to the same identifier.
Evidence: "read_file" collides with "read-file" after case/separator normalization.
Recommended remediation: Give each tool a unique, explicit name and reject duplicate normalized names during server startup or client registration.
References: OWASP MCP Top 10: tool confusion and shadowing, CWE-178: Improper Handling of Case Sensitivity, CWE-180: Incorrect Behavior Order
12. Debug mode enabled
Debug or verbose error mode appears enabled.
Evidence: Matched pattern \bdebug[_-]?mode\b
Recommended remediation: Disable debug and inspector modes in production, return sanitized errors to MCP clients, and keep detailed traces in protected logs only.
References: OWASP MCP Top 10: insecure configuration, CWE-489: Active Debug Code, CWE-209: Generation of Error Message Containing Sensitive Information
13. Error message information disclosure
Configuration or tool metadata suggests raw debug/error details may be exposed.
Evidence: Matched pattern \bstack trace\b
Recommended remediation: Return stable user-facing error codes, log detailed errors server-side only, and disable debug or verbose exception output in production.
References: OWASP Error Handling Cheat Sheet, CWE-209: Information Exposure Through an Error Message, OWASP API Security: Security Misconfiguration