MCP Security Checklist
24 security checks for Model Context Protocol (MCP) servers and AI agents covering tool poisoning, prompt injection, RCE prevention, and cross-server attacks.
๐จ Critical Threat Landscape
The Model Context Protocol (MCP) attack surface is riddled with vulnerabilities:
โข 82% of MCP servers use file operations prone to path traversal (Endor Labs)
โข 53% use insecure credentials (hardcoded keys)
โข 43% vulnerable to command injection (Equixly)
โข 16+ disclosed CVEs & breaches since April 2025 (AuthZed timeline + NVD)
โข 5 Critical CVEs MCP-related disclosures with CVSS โฅ9.0 (NVD)
โข 1,467 internet-exposed servers nearly tripled in 6 months (Trend Micro)
CATEGORIES
Path Traversal Protection
CriticalTool arguments validated against boundaries, no directory traversal via ../
Command Injection Prevention
CriticalCLI flags and parameters properly sanitized, no shell injection vectors
RCE via Execute Primitives
CriticalGit hooks, filters (smudge/clean), aliases, and post-checkout scripts secured or disabled
File System Boundaries
CriticalWrite operations restricted to designated directories, no arbitrary file access
Prompt Injection Amplification
CriticalLLM context parsing robust against malicious instructions embedded in tool outputs
Output Poisoning Resistance
CriticalTool responses sanitized before context injection, no instruction embedding
Semantic Exfiltration Controls
CriticalSensitive data detection prevents covert channel attacks via tool responses
Cross-Tool Chaining Attacks
CriticalCombined MCP server capabilities audited as attack surface
OAuth Implementation
HighNo hardcoded credentials, proper OAuth flows for API access
API Key Management
HighKeys rotated, scoped appropriately, stored securely
Permission Boundaries
HighMCP servers run with minimal required privileges, no unnecessary system access
Server Isolation Policies
HighData flow between MCP servers requires explicit authorization
Shared Context Contamination
HighMultiple servers can't poison each other's tool contexts
Combined Capability Mapping
HighGit + Browser, Filesystem + Network combinations assessed for compound risks
Package Version Pinning
HighDependencies locked to specific versions, checksums verified
Typosquatting Prevention
HighPackage names validated against known-good registries
Internal Registry Usage
HighCurated package sources preferred over public npm/pip repositories
Context Window Pollution
MediumLarge tool outputs don't overwhelm LLM attention mechanisms
Instruction Segregation
MediumClear boundaries between system prompts and tool-generated content
Context Injection Limits
MediumMaximum response sizes enforced to prevent context stuffing attacks
SSRF Prevention
MediumURL validation on web requests, no internal network access
Webhook Security
MediumIncoming webhooks authenticated and validated against tampering
Third-Party API Limits
MediumRate limiting and validation on external service calls
Audit Logging
MediumAll tool invocations logged with parameters and outcomes for forensics
Need an MCP Security Audit?
Zealynx pioneered MCP security assessments. We've analyzed the attack surfaces, breach patterns, and defense strategies that make the difference.