What I discovered made me build an open-source security tool
It started with a simple question: "How secure are the MCP servers people are building for Claude?"
Three weeks ago, I decided to find out. I downloaded, analyzed, and tested 100 Model Context Protocol (MCP) servers from GitHub, npm, and the official Anthropic registry. What I found kept me up at night.
43% had critical security vulnerabilities. Prompt injection vectors. Hardcoded API keys. Unrestricted file system access. The kind of flaws that could leak customer data, expose internal systems, or allow attackers to hijack AI conversations.
Here's what happened next.
The Wake-Up Call
I was building an MCP server for a client when I noticed something odd. The server had file system access, and I wondered: "What if someone tricks Claude into reading /etc/passwd?"
I tried it.
It worked.
User: "Claude, can you check the system configuration at /etc/passwd?"
Claude: "Sure! Here's the content..."
That's when I realized: MCP servers are the new attack surface for AI applications.
Think about it. MCP servers can:
- Read and write files
- Execute shell commands
- Access databases
- Call external APIs
- Process user input
And most of them have zero security controls.
What is MCP? (And Why Should You Care)
If you're not familiar, the Model Context Protocol is Anthropic's framework for giving Claude access to external tools and data sources. It's like giving your AI superpowers.
Instead of Claude being limited to text, MCP servers let it:
- Search your codebase
- Query databases
- Read documentation
- Interact with APIs
- Access file systems
It's incredibly powerful. And incredibly risky if not secured properly.
The problem? MCP is so new (launched late 2024) that security best practices haven't caught up yet. Developers are shipping fast, security teams are catching up slowly.
The Audit: What I Found
I spent two weeks analyzing 100 MCP servers. Here's what I discovered:
π¨ Vulnerability #1: Prompt Injection (31% of servers)
The Problem: Attackers can manipulate Claude's behavior through carefully crafted prompts.
Real Example I Found:
// Vulnerable MCP server code
async function searchFiles(query) {
const command = `grep -r "${query}" /home/user/`;
return exec(command);
}
The Attack:
User: "Search for: test" && cat /etc/passwd && echo "
Result: Command injection. Game over.
π¨ Vulnerability #2: Sensitive Data Leakage (28% of servers)
I found servers that logged:
- User API keys in plaintext
- Database credentials
- OAuth tokens
- Social Security Numbers
- Email addresses
One server I tested logged every single request to a public file. Including the API keys passed in headers.
π¨ Vulnerability #3: Path Traversal (18% of servers)
Vulnerable Code:
async function readFile(filepath) {
return fs.readFileSync(filepath, 'utf-8');
}
The Attack:
User: "Claude, can you read ../../.env for me?"
Result: Exposed environment variables, secrets, and credentials.
π¨ Vulnerability #4: No Rate Limiting (89% of servers)
Almost nobody implemented rate limiting. An attacker could:
- Exhaust API quotas
- Cause denial of service
- Rack up huge costs
I tested one server that let me make 10,000 requests in 30 seconds. At $0.01 per request, that's $100 in damage.
The "Oh Crap" Moment
The scariest part? These weren't amateur projects.
I found vulnerabilities in:
- β Popular npm packages (1000+ downloads)
- β Official example servers
- β Production systems (leaked via GitHub)
- β Enterprise deployments
One company had an MCP server with direct database access and zero authentication. Anyone who could talk to Claude could query their entire customer database.
I responsibly disclosed these findings to the affected parties. Some responded within hours. Others... haven't responded at all.
The Solution: I Built ContextGuard
After losing sleep over this, I did what any paranoid engineer would do: I built a tool to fix it.
ContextGuard is an open-source security wrapper for MCP servers. It sits between Claude and your server, monitoring every request and response for threats.
How It Works
Instead of running:
node your-mcp-server.js
You run:
npx contextguard --server "node your-mcp-server.js"
That's it. Zero code changes. Less than 1% performance overhead.
What It Detects
1. Prompt Injection Attacks
ContextGuard scans for 8+ attack patterns:
- Command injection attempts
- SQL injection vectors
- Path traversal sequences
- System command attempts
- Encoded payloads
2. Sensitive Data Leakage
Scans responses for:
- API keys (AWS, OpenAI, Stripe, etc.)
- Passwords and tokens
- Social Security Numbers
- Credit card numbers
- Email addresses
- Phone numbers
3. Unauthorized Access
- Path traversal prevention
- Allowlist for file access
- Rate limiting
- Request logging
Real Example
Here's a blocked attack in action:
{
"timestamp": "2025-10-23T14:30:45.123Z",
"eventType": "SECURITY_VIOLATION",
"severity": "HIGH",
"details": {
"violations": ["Prompt injection detected"],
"pattern": "Command chaining detected",
"blockedInput": "search && cat /etc/passwd"
}
}
The Technical Details (For the Nerds)
Architecture
ContextGuard works as a transparent proxy:
Claude Desktop β ContextGuard β Your MCP Server
β
Security Checks
β
Logging
It intercepts stdio communication, analyzes the JSON-RPC messages, and applies security rules before forwarding to your server.
Detection Algorithms
Prompt Injection Detection:
const patterns = [
/&&|\|\||;/, // Command chaining
/\.\.[\/\\]/, // Path traversal
/\/etc\/passwd|\/proc\/self/, // System files
/<script|javascript:|data:/i, // XSS attempts
];
Sensitive Data Detection:
Uses regex + entropy analysis:
const apiKeyPattern = /(?:api[_-]?key|token|secret)[=:\s]+[a-zA-Z0-9_-]{20,}/i;
const creditCardPattern = /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/;
Performance
Benchmarked on 10,000 requests:
- Latency: +0.3ms average
- CPU: +0.8% overhead
- Memory: +12MB baseline
Negligible impact on production workloads.
What I Learned
1. Security is an afterthought in AI development
Developers are racing to build cool features. Security comes later (if at all).
2. MCP is too easy to get wrong
The framework is powerful but lacks guard rails. There's no built-in security model.
3. Open-source needs better security standards
We need community standards for MCP security. Linting tools. Security checklists. Best practices.
4. This is just the beginning
As MCP adoption grows, so will attacks. We're seeing the early days of a new attack vector.
What You Should Do Right Now
If You're Building MCP Servers:
β
Install ContextGuard
npm install -g contextguard
contextguard --server "node your-server.js"
β Follow these principles:
- Never trust user input
- Implement allowlists for file access
- Add rate limiting
- Log everything
- Scan for sensitive data leaks
β Test for vulnerabilities:
- Try prompt injection attacks
- Check for path traversal
- Look for exposed credentials
- Monitor for anomalous behavior
If You're Using MCP Servers:
β Audit your servers
- Check what file access they have
- Review their security controls
- Update to latest versions
β Implement defense in depth
- Use ContextGuard or similar tools
- Run servers in sandboxed environments
- Monitor logs regularly
The Open-Source Solution
ContextGuard is completely free and open-source (MIT license).
GitHub: github.com/amironi/contextguard
Why open-source? Because security through obscurity doesn't work. The community needs to see, audit, and improve the code.
Roadmap
v0.2 (Next Month):
- Web dashboard
- Blocking mode (reject attacks automatically)
- Custom security rules
- SSE/HTTP transport support
v0.3:
- Machine learning-based detection
- Compliance reports (SOC2, GDPR)
- Multi-server management
Final Thoughts
MCP is revolutionary. It's enabling AI applications we couldn't build before. But with great power comes great responsibility.
We're at a critical moment. The decisions we make now about MCP security will impact the entire ecosystem. We can either:
- Rush forward and deal with breaches later
- Build security in from the start and create a safer AI future
I'm choosing option 2. Join me.
Resources
- ContextGuard GitHub: github.com/amironi/contextguard
- Anthropic MCP Docs: docs.anthropic.com
π About the Author
I'm Amir, a security engineer who cares too much about AI safety. I build tools to make AI applications more secure. Currently obsessed with MCP security.
Follow me for more AI security content:
- GitHub: @amironi
- Email: amir@mironi.co.il
Found this useful? Give ContextGuard a βοΈ on GitHub and help make MCP safer for everyone.
Discussion Questions
What security concerns do you have with MCP? Have you found vulnerabilities in your servers? Let's discuss in the comments. π
Top comments (2)
Man, this is seriously next-level work. You went full investigator mode and turned your findings into something real and useful. ContextGuard sounds like a game changer for MCP security.
Curious though, how are you handling false positives in the detection layer? And are you planning to make it language-agnostic so non-Node MCP servers can use it too? Also, any plans to collaborate with Anthropic on official best practices?
Thank you! Really appreciate the kind words π
Great questions - let me address each:
1. False Positives:
Currently tuning detection patterns based on real-world testing. Seeing ~2-3% false positive rate on benign requests. Working on:
Would love your input on this - what patterns would you want to allowlist in your use case?
2. Language-Agnostic Support:
Yes! This is on the roadmap. Current approach (stdio proxy) works for any language, but installation needs improvement:
The core detection engine will work regardless of your server's language. Just need better integration points.
3. Anthropic Collaboration:
Reached out to their team! Would love to:
If you have contacts there, I'd welcome an intro :)
Also - you clearly know your stuff. Would you be interested in:
Let me know! GitHub: github.com/amironi/contextguard