Anthropic MCP SDK config-to-exec design flaw
OX Security disclosed that Anthropic's official MCP SDKs allow configuration values to shape the spawned command line, turning supply-chain or config control into host-side execution authority.
Affected systems
MCP deployments, Coding agents, Long-lived agents
Primary threats
Capability Escalation, Tool Misuse, Skill or Plugin Backdoors
Impact types
Host command execution, Supply-chain compromise, Runtime trust collapse
CVEs
Not specified
What an auditor should now check
- Trace every config value that can influence executable path, args, env, or workdir
- Check whether tool wrappers preserve parameter provenance down to process spawn
- Verify that child-process launches are sandboxed and independently policy-checked
Why this matters
This is a runtime authority and supply-chain problem at the execution sink. If config can steer process spawn, any poisoned registry entry, package, or deployment default can become code execution.
What happened
OX Security showed that the official Anthropic MCP SDKs flow configuration into the command line used to spawn STDIO child processes. That means control over config can become control over what the host executes.
Why the classification matters
This should not be filed as generic prompt injection. The decisive failure is that supply-chain and configuration state can directly shape an execution sink with host authority.
What an auditor should now check
- Whether configuration and registry metadata can alter executable path or arguments
- Whether child-process launches are validated against an allowlist
- Whether connector provenance is verified before the runtime trusts it
Zealynx takeaway
For Zealynx, this is a model example of why MCP reviews must start from authority and execution sinks rather than prompt wording.
Control implications
- Treat spawn-influencing configuration as untrusted input with strict allowlists
- Review SDK defaults as part of authority scoping, not only application prompts
- Pin connector versions and provenance before allowing them near shell or filesystem tooling
Affected systems
- MCP deployments
- Coding agents
- Long-lived agents
Impact types
- Host command execution
- Supply-chain compromise
- Runtime trust collapse