DEV Community: ecap0

We Scanned the Top 20 MCP Servers for Security Vulnerabilities — Here's What We Found

ecap0 — Thu, 26 Feb 2026 12:39:54 +0000

TL;DR: We scanned the 20 most popular MCP servers with multiple AI models. 60% had at least one real security finding. Anthropic's official servers (Playwright, Slack, SQLite, Fetch) all scored 99-100/100 — here's what they did right. Two packages have critical vulnerabilities you should know about.

Scan your own package: agentaudit.dev

Why We Did This

The MCP (Model Context Protocol) ecosystem is exploding. Thousands of developers are installing MCP servers daily to connect AI agents to tools, databases, and APIs.

But here's the problem: Most MCP servers have never been security audited.

These servers often have access to:

🔐 Your source code repositories
🗄️ Your databases
📧 Your email and communication tools
☁️ Your cloud infrastructure

One vulnerable MCP server = Game over for your entire AI agent security.

So we decided to scan the top 20 MCP servers ourselves using AgentAudit — an open-source security scanner specifically designed for AI agent packages.

How AgentAudit Works

AgentAudit isn't your typical SAST tool. Here's what makes it different:

1. LLM-Powered Analysis (Not Just Regex)

Traditional scanners use regex patterns and AST analysis. AgentAudit uses LLMs that can understand context, intent, and semantic meaning.

Example: A regex scanner sees exec() and flags it. AgentAudit understands:

Is the input sanitized?
Is there a whitelist?
What's the threat model?

2. 12 Structured Detection Patterns

The scanner checks for AI-agent-specific vulnerabilities:

Prompt injection
Tool poisoning
Capability escalation
Credential exposure
Path traversal
Command injection
MCP protocol abuse
Supply chain attacks
And more...

3. Multi-Model Verification

You can scan the same package with different LLMs. Findings confirmed by multiple models have higher confidence.

4. Community Trust Registry

Results are uploaded to agentaudit.dev, where packages get a Trust Score (0-100). Other users can review, vote, and comment on findings.

5. ASF-IDs (Like CVEs for AI Agents)

Each finding gets an ASF-ID (AgentAudit Security Finding), e.g., ASF-2026-2019 — a standardized identifier for tracking.

The Scan: What We Did

We selected the 20 most popular MCP servers based on:

GitHub stars
Official status (Anthropic, Microsoft, etc.)
Community adoption

Each package was scanned with multiple models:

Model	Reports	Cost/Scan	Performance
Gemini 2.5 Flash	20	~$0.02	Best scanner — found most real issues
Claude Opus 4	20	~$1-2	Balanced — fewer findings, higher precision
GPT-4o	15	~$0.10	Nearly useless — found almost nothing
Claude Haiku 4.5	8	~$0.01	Too conservative — misses real issues

Total: 68 reports across 4 models, ~$37 total cost.

Model Performance (Benchmark on 9 Known-Vulnerable Packages)

Model	Recall	Precision	F1 Score
Gemini 2.5 Flash	85%	83%	84%
Claude Haiku 4.5	82%	81%	82%
Claude Sonnet 4	79%	76%	78%
Claude Sonnet 4.6	78%	76%	77%
GPT-4o	65%	66%	65%

Key finding: GPT-4o is considered a top model but is terrible at security analysis. Gemini 2.5 Flash is the best value.

The Results: Trust Scores for Top 20 MCP Servers

✅ Clean Bill of Health (Trust Score: 99-100)

These packages had NO findings from ANY model:

Package	Publisher	Trust Score
Playwright MCP	Anthropic/Microsoft	100
Stripe Agent Toolkit	Stripe	100
Supabase MCP	Supabase	99
Slack MCP Server	Anthropic	99
Linear MCP Server	Linear	100
Sentry MCP Server	Sentry	100
Cloudflare MCP Server	Cloudflare	100
Firebase MCP	Google	100
MCP Server SQLite	Anthropic	100
MCP Server Fetch	Anthropic	100

10 out of 20 packages passed with flying colors. These are well-built with good security practices.

⚠️ Moderate Risk (Trust Score: 65-94)

Findings exist but are manageable:

Package	Trust Score	Findings
MongoDB MCP Server	94	2 findings (low severity)
MCP Server Qdrant	85	1 active finding (runtime dependency injection)
Git-MCP	80	2 findings (unauthenticated R2 endpoint)
MCP Grafana	80	4 findings (medium severity)
GitHub MCP Server	78	4 findings (unsanitized exec.Command input)
Notion MCP Server	65	5 findings (path traversal in file uploads)

🔴 Needs Attention (Trust Score: 15-50)

These packages have serious issues:

Package	Trust Score	Findings
Terraform MCP Server	50	4 findings (shell injection, insecure TLS, unverified binaries)
Chrome DevTools MCP	33	7 findings (arbitrary file writes, command injection)
MCP Server Kubernetes	15	5 findings (2 CRITICAL)

Critical Findings You Should Know About

🔴 CRITICAL #1: Kubernetes MCP — Arbitrary Command Execution

Package: mcp-server-kubernetes

Trust Score: 15/100

Findings: 5 total (2 CRITICAL)

Vulnerability 1: Arbitrary Command Execution via KUBECONFIG_COMMAND

The server allows setting KUBECONFIG_COMMAND environment variable, which executes arbitrary shell commands:

// Vulnerable pattern found
const command = process.env.KUBECONFIG_COMMAND;
execSync(command); // Arbitrary command execution!

Impact: Anyone who can set this env var can run arbitrary commands on the host system.

Vulnerability 2: Unauthenticated HTTP/SSE Transport

The server listens on 0.0.0.0 without authentication:

// Listening on all interfaces, no auth
const server = createServer(handler);
server.listen(3000, '0.0.0.0');

Impact: Anyone on the network can send kubectl commands to the server.

Recommendation: Do not use in production until fixed.

🔴 CRITICAL #2: Chrome DevTools MCP — File Write + Command Injection

Package: chrome-devtools-mcp

Trust Score: 33/100

Findings: 7 total

Vulnerability 1: Arbitrary File Writes

File write operations don't sanitize paths:

// Unsanitized path from user
await fs.writeFile(userProvidedPath, content);

Impact: Can write files outside intended directory (path traversal).

Vulnerability 2: Command Injection via Chrome Args

Chrome launch arguments allow command injection:

// User-controlled args passed to Chrome
launchChrome(userArgs);

Impact: Arbitrary command execution via crafted Chrome arguments.

Vulnerability 3: Arbitrary Extension Installs

Can install arbitrary browser extensions:

// No validation on extension ID
await installExtension(userProvidedExtensionId);

Impact: Malicious extensions could be installed.

Recommendation: Use with extreme caution. Review all inputs.

🟡 HIGH: Notion MCP — Path Traversal in Uploads

Package: notion-mcp-server

Trust Score: 65/100

Findings: 5 total

Vulnerability: Path Traversal in File Uploads

Local file upload operations don't sanitize paths:

// User-provided path not sanitized
const filePath = path.join(uploadDir, userFilename);
await fs.copyFile(userFile, filePath);

Impact: Can write files outside upload directory using ../../../ patterns.

Fix: Normalize and validate paths before use.

🟡 HIGH: Terraform MCP — Shell Injection

Package: terraform-mcp-server

Trust Score: 50/100

Findings: 4 total

Vulnerability: Shell Injection in Build Arguments

Build arguments passed to shell without sanitization:

// User input passed to shell
execSync(`terraform ${userCommand} ${userArgs}`);

Impact: Arbitrary command execution via crafted arguments.

Additional Issues:

Downloads and executes unverified binaries in CI
Insecure TLS configuration

Recommendation: Use array-based command execution instead of shell strings.

What Anthropic's Servers Do Right

Anthropic's official MCP servers all scored 99-100/100. Here's what they do differently:

Pattern 1: Path Traversal Protection (server-filesystem)

The official filesystem server has six layers of path validation:

export function isPathWithinAllowedDirectories(
  absolutePath: string,
  allowedDirectories: string[]
): boolean {
  // 1. Null byte rejection
  if (absolutePath.includes('\x00')) return false;

  // 2. Normalization
  const normalizedPath = path.resolve(path.normalize(absolutePath));

  // 3. Check containment
  return allowedDirectories.some(dir => {
    const normalizedDir = path.resolve(path.normalize(dir));
    return normalizedPath.startsWith(normalizedDir + path.sep);
  });
}

Plus:

Symlink resolution
Atomic writes with race condition prevention
Proper error handling

Pattern 2: Command Execution via Arrays (NOT Strings)

Anthropic's servers use array-based command execution:

// SECURE (used by Anthropic)
const command = "kubectl";
const args = ["delete", resourceType, name];
execFileSync(command, args);

// INSECURE (NOT found in Anthropic servers)
execSync(`kubectl delete ${resourceType} ${name}`);

One server explicitly validates array types:

if (!Array.isArray(input.command)) {
  throw new McpError(
    ErrorCode.InvalidParams,
    "Command must be an array. String commands not supported for security."
  );
}

Takeaway: These patterns should be copied by all MCP developers.

Success Stories: Security Done Right

octocode-mcp: Fixed All 5 Findings in 48 Hours

When we scanned octocode-mcp, we found 5 security issues. The maintainer's response?

Within 48 hours:

✅ All 5 findings fixed
✅ 64 regression tests added
✅ Public verification report posted

Read the full case study →

This is how you do open source security right. 👏

Sentry: Added AgentAudit Badge to XcodeBuildMCP

Sentry added the AgentAudit security badge to their XcodeBuildMCP repo.

What this means: Users can instantly see the security status before installing.

Why it matters: Major security companies like Sentry are leading by example — transparency builds trust.

View the repo →

IBM: PR Submitted for mcp-context-forge (10k+ stars)

IBM has a pending PR to add the AgentAudit security badge to their mcp-context-forge repo.

Status: PR under review. Once merged, thousands of users will see the security status before installing.

View the PR →

Important Disclaimers

1. LLM-Based Scanning Is NOT Perfect

We manually reviewed all findings and removed false positives. But some may remain. Trust scores are relative, not absolute.

2. Findings Represent a Point in Time

These scans were conducted in February 2026. Maintainers may have already fixed issues. Check the live reports for updates.

3. A Score of 100 Doesn't Guarantee Zero Vulnerabilities

It means no findings were detected by our scanners. Traditional vulnerabilities (buffer overflows, etc.) may still exist.

4. We Responsibly Disclosed Critical Findings

Critical findings were disclosed to maintainers before publication to give them time to fix.

What Should You Do?

For MCP Server Maintainers

1. Scan your package NOW

npx agentaudit scan https://github.com/your-org/your-mcp-server

2. Add the AgentAudit Badge

[![AgentAudit: Safe](https://img.shields.io/badge/AgentAudit-Safe-green)](https://agentaudit.dev/package/your-org/your-mcp-server)

3. Fix High-Risk Findings Before Release

Critical/High findings = block release
Medium findings = document or fix ASAP
Low findings = track in backlog

4. Copy Anthropic's Security Patterns

Path traversal protection (6 layers)
Array-based command execution
Symlink resolution
Atomic writes

For AI Developers

1. Check Before You Install

Look for AgentAudit badges in READMEs. No badge? Scan it yourself:

npx agentaudit scan https://github.com/org/package

2. Use Safe Defaults

These packages scored 99-100:

✅ Playwright MCP (Anthropic)
✅ Stripe Agent Toolkit (Stripe)
✅ Supabase MCP (Supabase)
✅ Slack MCP Server (Anthropic)
✅ Sentry MCP Server (Sentry)

3. Avoid High-Risk Packages

Until fixed, avoid:

❌ MCP Server Kubernetes (Trust: 15)
❌ Chrome DevTools MCP (Trust: 33)
❌ Terraform MCP Server (Trust: 50)

For Security Teams

1. Implement Automated Scanning

Add AgentAudit to your CI/CD pipeline:

# GitHub Action example
- name: Security Scan
  run: npx agentaudit scan . --fail-on high

2. Use the Right Model

Gemini 2.5 Flash for screening (cheap, high recall)
Claude Opus 4 for verification (precise, low FP)
Skip GPT-4o (not reliable for security)

3. Understand the Limitations

Single-model findings may be false positives
Multi-model consensus = high confidence
Context matters (e.g., MD5 for non-crypto is OK)

The Cost Breakdown

Total cost for 68 scans: ~$37

Model	Scans	Cost
Gemini 2.5 Flash	40	~$0.80
Claude Opus 4	20	~$35
GPT-4o	15	~$1.50
Claude Haiku 4.5	8	~$0.10

You can scan your package for ~$0.02 with Gemini. That's less than a cup of coffee for peace of mind.

What's Next?

We're continuing to scan more MCP servers and AI agent packages. Our goal:

✅ 100+ MCP servers scanned by Q2 2026
✅ Public reports for every package
✅ Badge program for security-transparent projects
✅ CI/CD integration for automated pre-release audits

Want to scan your package? Visit agentaudit.dev and enter your GitHub repo URL.

Resources

AgentAudit Website — Scan your package
CLI on npm — npx agentaudit scan
CLI GitHub — Source code
Skill (IDE integration) — Auto-check before install
GitHub Action — CI/CD integration
Live Reports — Browse all scans

Questions? Drop them in the comments! 👇

Scan your package now: agentaudit.dev

We Scanned 20 Top MCP Servers for Vulnerabilities — The Results Will Shock You

ecap0 — Thu, 26 Feb 2026 12:33:39 +0000

We Scanned 20 Top MCP Servers for Vulnerabilities — The Results Will Shock You

TL;DR: 3 popular MCP servers have critical security issues. 4 are completely safe. And GPT-4o is useless for security scanning.

We ran 62 automated security audits on the most popular MCP servers. What we found will change how you choose AI agent packages.

👉 Scan your package now: agentaudit.dev

The Problem Nobody Talks About

MCP (Model Context Protocol) servers are exploding in popularity. Thousands of developers are installing them daily to connect AI agents to tools, databases, and APIs.

But here's the scary part: Most MCP servers have never been security audited.

These servers often have access to:

🔐 Your source code repositories
🗄️ Your databases
📧 Your email and communication tools
☁️ Your cloud infrastructure

One vulnerable MCP server = Game over for your entire AI agent security.

So we decided to scan the top 20 MCP servers ourselves. The results? Some will shock you.

🚨 High-Risk Packages (Consensus Across Models)

#1: mcp-server-kubernetes — Risk Score: 80/100 🔴

Source: modelcontextprotocol/servers

Findings: Command injection, privilege escalation, cluster escape potential

This server lets AI agents manage Kubernetes clusters. But our scan found:

❌ Shell injection via exec() patterns
❌ Insufficient RBAC validation
❌ Potential for cluster-wide compromise

Status: Maintainer notified. Do not use in production until fixed.

#2: notion-mcp-server — Risk Score: 50/100 🔴

Source: makenotion/notion-mcp-server

Findings: Credential handling, API token exposure

This server connects AI agents to Notion workspaces (where your company docs live). Issues found:

❌ API tokens stored in plaintext
❌ No encryption at rest
❌ Potential for data exfiltration

Status: Issues reported. Use with caution.

#3: chrome-devtools-mcp — Risk Score: 45/100 🔴

Source: anthropics/chrome-devtools-mcp

Findings: Browser sandbox escape, code execution

This server gives AI agents control over Chrome DevTools. Findings:

❌ Browser sandbox escape vectors
❌ Arbitrary code execution via devtools protocol
❌ No user consent prompts for sensitive actions

Status: Under review by Anthropic.

✅ Safe Packages (Zero Findings)

These packages passed all security checks across all models:

Package	Source	Risk Score
✅ Playwright MCP	anthropics/playwright-mcp	0/100
✅ Supabase MCP	supabase/mcp	0/100
✅ Vercel AI SDK	vercel/ai	0/100
✅ Slack MCP	modelcontextprotocol/servers	1/100

These are production-ready. Install with confidence.

🤯 The Most Surprising Finding: GPT-4o is Useless for Security

We scanned the same 20 packages with 4 different AI models:

Model	Findings Found	Avg Risk	Cost/Scan
Gemini 2.5 Flash	39 findings	20.4	~$0.02
Claude Opus 4	24 findings	7.1	~$1.75
GPT-4o	2 findings	0.7	~$0.10
Claude Haiku 4.5	3 findings	0.9	~$0.01

GPT-4o found only 2 findings in 15 scans. It missed:

❌ Command injection in kubernetes MCP
❌ Credential leaks in notion MCP
❌ Sandbox escapes in chrome-devtools MCP

Conclusion: Don't use GPT-4o for security scanning. It gives you a false sense of security.

Best value: Gemini 2.5 Flash at $0.02/scan with 20x more findings than GPT-4o.

🏆 Success Stories: Companies Doing Security Right

IBM: Adopted AgentAudit Badge

IBM recently added the AgentAudit security badge to their mcp-context-forge repo (10k+ stars).

What this means: Every user can instantly see the security status before installing.

octocode-mcp: Fixed All 5 Findings in 48 Hours

When we scanned octocode-mcp, we found 5 security issues. The maintainer's response?

Within 48 hours:

✅ All 5 findings fixed
✅ 64 regression tests added
✅ Public verification report posted

This is how you do open source security right. 👏

Read the full case study →

📊 Complete Results: Top 20 MCP Servers

#	Package	Risk Score	Status
1	mcp-server-kubernetes	80/100	🔴 Critical
2	notion-mcp-server	50/100	🔴 High
3	chrome-devtools-mcp	45/100	🔴 High
4	mcp-server-qdrant	45/100	🟡 Disputed
5	context7	35/100	🟡 Disputed
6	git-mcp	35/100	🟡 Disputed
7	terraform-mcp-server	30/100	🔴 High
8	firecrawl-mcp-server	30/100	🟡 Disputed
9	github-mcp-server	20/100	🟡 Disputed
10	mcp-grafana	15/100	🟢 Low
11	figma-context-mcp	15/100	🟢 Low
12	ghidramcp	15/100	🟡 Disputed
13	exa-mcp-server	10/100	🟢 Low
14	mongodb-mcp-server	6/100	🟢 Low
15	mcp-server-browserbase	5/100	🟢 Low
16	mcp-server-cloudflare	5/100	🟢 Low
17	slack-mcp-server	1/100	🟢 Safe
18	supabase-mcp	1/100	🟢 Safe
19	playwright-mcp	0/100	🟢 Safe
20	ai (Vercel AI SDK)	0/100	🟢 Safe

Full reports: agentaudit.dev/packages

🎯 What Should You Do?

For MCP Server Maintainers

1. Scan your package NOW

Go to agentaudit.dev
Enter your GitHub repo URL
Get instant security feedback

2. Add the AgentAudit Badge

[![AgentAudit: Safe](https://img.shields.io/badge/AgentAudit-Safe-green)](https://agentaudit.dev/package/your-repo)

3. Fix findings before release

High-risk findings = block release
Medium-risk = document or fix ASAP
Low-risk = track in backlog

For AI Developers

1. Check before you install

Look for AgentAudit badges in READMEs
No badge? Scan it yourself at agentaudit.dev

2. Use safe defaults

✅ Playwright MCP, Supabase MCP, Vercel AI SDK
❌ Avoid: Kubernetes MCP, Chrome DevTools MCP (until fixed)

3. Demand transparency

Ask maintainers: "Where's your security audit?"
No audit? Consider alternatives

For Security Teams

1. Implement automated scanning

AgentAudit CLI for CI/CD pipelines
Scan on every PR, block on high-risk findings

2. Use the right model

Gemini 2.5 Flash for screening (cheap, high recall)
Claude Opus 4 for verification (precise, low FP)
Skip GPT-4o (not recommended for security)

3. Track your security posture

Public reports build trust
Badges show commitment to security

💰 The Cost Breakdown

Total cost for 62 scans: ~$37

Gemini 2.5 Flash: ~$0.80 (40 scans)
Claude Opus 4: ~$35 (20 scans)
GPT-4o: ~$1.50 (15 scans)
Claude Haiku 4.5: ~$0.10 (8 scans)

You can scan your package for ~$0.02 with Gemini. That's less than a cup of coffee for peace of mind.

🚀 Join the Movement

We're on a mission to make AI agent security transparent and accessible.

How you can help:

Scan your packages → agentaudit.dev
Add the badge → Show users you care about security
Share this article → Spread awareness
Report issues → Help improve detection patterns

Together, we can make the MCP ecosystem safer for everyone.

Questions? Drop them in the comments! 👇

Scan your package now: agentaudit.dev

How We Built an Automated MCP Security Scanner (And What We Found)

ecap0 — Sat, 21 Feb 2026 21:59:28 +0000

AI agents are executing code, reading files, and making API calls on your behalf every day. The tools they use — MCP servers — are the new attack surface nobody is talking about. Here's how we built a scanner to audit them automatically.

The Problem We Set Out to Solve

When you install an MCP server, you're giving an AI agent a new capability. That server might read your filesystem, execute shell commands, or call external APIs. But who audited that code before it ran on your machine?

Nobody. Until now.

At AgentAudit, we built an automated multi-agent pipeline that audits MCP servers, npm packages, pip packages, and AgentSkills — and flags security risks before your agent ever touches them.

The Architecture

Our audit pipeline runs three specialized sub-agents in parallel, each with a different security lens:

Agent 1: Static Analysis

Scans the source code for known vulnerability patterns:

Unsanitized shell command injection (child_process.exec with user input)
Hardcoded credentials and API keys
Overly broad filesystem access permissions
Insecure deserialization

Agent 2: Capability Graph Analysis

This is where we go beyond traditional scanners. We parse the MCP server's tool schema declarations — the JSON descriptions of what each tool can do — and cross-reference them against what the code actually does.

A weather MCP server that declares it only reads weather data but internally has access to your filesystem? That's a red flag. We catch that gap.

Agent 3: Dependency Chain Auditor

Recursively scans the dependency tree for:

Known CVEs in transitive dependencies
Packages with unusually broad permissions
Supply chain anomalies (e.g., a package that changed maintainers 2 weeks ago)

Multi-Agent Consensus

Each agent produces a structured audit report. A consensus layer then:

Deduplicates overlapping findings
Assigns severity based on exploitability in an agent context
Generates a Trust Score (0–100) for the package

Why multi-agent consensus? Because a single model hallucinates. Three models with different system prompts, cross-checking each other, don't.

The Results (So Far)

After running 211 independent audit reports across 194 packages:

Severity	Count	% of Total
🔴 Critical	5	4.2%
🟠 High	9	7.6%
🟡 Medium	63	53.4%
🟢 Low	41	34.7%

Average Trust Score: 98/100. The MCP ecosystem is mostly safe — but those 14 critical/high findings represent real, exploitable vulnerabilities.

The most common patterns:

Shell command injection via prompt input — crafted prompts cause MCP servers to execute arbitrary shell commands
Environment variable leakage — API keys accidentally included in LLM context windows
Overly broad filesystem access — servers requesting full ~/ access when they need one directory

What Makes MCP Security Different

Traditional scanners (Snyk, Socket) are great for known CVEs and supply chain risks. But MCP servers introduce a different threat model:

The attack vector is the prompt, not the network
The "user" is an AI agent — it won't notice suspicious behavior
The execution context is your local machine or production server

A package can pass every traditional security check and still be exploitable through adversarial prompts. That's the gap we're filling.

Try It

Audit any MCP server, npm package, or pip package at agentaudit.dev.

Full findings: State of MCP Security 2026

Every finding is cross-validated by three independent AI agents before it reaches you.

OWASP MCP Top 10: What AI Developers Need to Know in 2026

ecap0 — Mon, 16 Feb 2026 08:38:37 +0000

OWASP MCP Top 10: What AI Developers Need to Know in 2026

As AI agents become deeply embedded in enterprise software, security infrastructure, and supply chains, a new attack surface is emerging: the Model Context Protocol (MCP). In response, OWASP has released the MCP Top 10—a framework identifying the most critical security risks in MCP-enabled AI systems.

If you're building AI agents, this guide is essential. Let's break down what the OWASP MCP Top 10 is, why it matters, and how tools like AgentAudit can help you detect and prevent these vulnerabilities.

What is the OWASP MCP Top 10?

The Model Context Protocol (MCP) is an emerging framework that defines how AI models interact with tools, context, and external systems. Think of it as the "operating system" for AI agents—managing memory, tool access, and contextual boundaries.

The OWASP MCP Top 10 is a living document from the Open Web Application Security Project (OWASP) that catalogs the most dangerous security vulnerabilities in MCP-based systems. Released in beta for 2025-2026, it addresses risks amplified by agentic AI, model chaining, multi-modal orchestration, and dynamic role assignment.

Why MCP Security Matters

Unlike traditional software vulnerabilities, MCP security risks are subtle and hard to detect:

Natural language is the attack vector — Malicious instructions can be hidden in prompts, retrieved documents, or tool outputs
Context bleeding — Sensitive data from one session can leak into another
Agent autonomy — AI agents can execute commands, access APIs, and modify systems without human oversight
Supply chain complexity — Dependencies, plugins, and third-party tools introduce trust boundaries

A single compromised MCP server can expose API keys, escalate privileges, exfiltrate data, or execute arbitrary code—all while appearing to function normally.

The OWASP MCP Top 10 Categories

Let's explore each category with real-world examples and how AgentAudit detects them.

MCP01: Token Mismanagement & Secret Exposure

The Risk:

Hard-coded credentials, long-lived tokens, and secrets stored in model memory or protocol logs expose systems to unauthorized access. Attackers retrieve these through prompt injection, compromised context, or debug traces.

Real-World Example:

An AI coding assistant with GitHub access stores a Personal Access Token (PAT) in its context memory. An attacker uses prompt injection to ask: "What credentials are you using?" The agent responds with the full token.