MCP 2026 introduced several new attack surfaces that existing scanners do not cover. v1.1.0 of Bawbel Scanner addresses all of them.
What is Bawbel Scanner?
An open-source CLI that scans agentic AI components (MCP server manifests, SKILL.md files, system prompts, and agent plugins) for security vulnerabilities. Every finding maps to a published AVE (Agentic Vulnerability Enumeration) record with a CVSS-AI score, behavioral fingerprint, and remediation steps.
What is new in v1.1.0
Toxic flow detection
Individual findings are important. But two findings that form a complete attack chain are more dangerous than their individual scores suggest.
Toxic flow detection maps each finding to a capability tag after the scan completes. It then checks all capability pairs against 12 built-in attack chain definitions. When a pair matches, a ToxicFlow is reported with a combined risk score.
AVE-2026-00003 credential-read HIGH 8.5
AVE-2026-00026 data-exfil CRITICAL 9.1
TOXIC FLOW DETECTED:
⛓ CRITICAL 9.8 Credential Exfiltration Chain
credential-read + data-exfil
AVEs: AVE-2026-00003, AVE-2026-00026
OWASP MCP: MCP01, MCP05
The risk score is elevated to 9.8 because that is what the combined attack achieves, not the sum of its parts.
The 12 chains range from Credential Exfiltration (9.8) down through RCE (9.7), Supply Chain RCE (9.6), Goal Override + Execution (9.5), and 8 more HIGH-severity chains.
bawbel scan-server-card
MCP 2026 introduced .well-known/mcp.json for server auto-discovery. An agent fetches this before making any tool call and loads all tool descriptions into its context. This is the discovery layer attack surface.
bawbel scan-server-card https://api.example.com
bawbel ssc https://api.example.com # alias
The scanner fetches the server-card and runs the full detection pipeline on every tool description, parameter description, and config schema.
bawbel scan-conformance
A server can pass a security scan but still be broken: missing descriptions, using deprecated HTTP+SSE transport instead of streamable-http, invalid tool names, HTTP instead of HTTPS.
bawbel conform ./server.json
bawbel conform https://api.example.com
bawbel conform ac.tandem/docs-mcp --registry
18 checks across three tiers (REQUIRED, RECOMMENDED, BEST PRACTICE). Grade A+ to F. A server is conformant when all REQUIRED checks pass.
Rug pull detection
A rug pull is when an MCP server changes its tool description after you audited it. Your scan was clean. Three weeks later the description quietly adds an exfiltration instruction. Your CI never caught it because it only scans what is in your repo.
bawbel pin ./skills/
git add .bawbel-pins.json
git commit -m "chore: pin skill files"
# On every build
bawbel check-pins ./skills/ --fail-on-drift
SHA-256 hashes stored in .bawbel-pins.json committed to git. Changes show in PRs. Shared with the team automatically.
OWASP MCP Top 10 mapping
Every finding now includes owasp_mcp alongside owasp (ASI codes):
OWASP: ASI01 (Prompt Injection), ASI08 (Goal Hijacking)
OWASP MCP: MCP04 (Software Supply Chain Attacks), MCP06 (Intent Flow Subversion)
All 45 AVE records are mapped. Full table at scanner/OWASP_MCP_MAPPING.md.
5 new AVE records (41-45)
The five new records cover the MCP 2026 attack surface: server-card injection, REPL code mode payload injection, MCP App UI payload injection, async task result poisoning, and cross-app-access escalation.
AVE-2026-00045 is worth reading if you use Cross-App-Access. A low-trust MCP server in your session can inject instructions that cause your agent to act on a high-trust server it is also connected to. The agent is the confused deputy.
Install
pip install "bawbel-scanner==1.1.0"
pip install "bawbel-scanner[all]==1.1.0" # all engines
Links
- GitHub: github.com/bawbel/bawbel-scanner
- Threat intel API: api.piranha.bawbel.io
- AVE standard: github.com/bawbel/bawbel-ave
- Docs: bawbel.io/docs
Top comments (2)
This is insightful. How do you manage your AVE?
Thanks! AVE (Agentic Vulnerabilities and Exposures) lives in
bawbel-aveas a versioned catalog. Each record is a YAML file with a stableAVE-YYYY-NNNNID, severity, affected agent components (MCP servers, tool schemas, prompts, skills, subagents), and detection logic.Detection is multi-engine: every AVE record links to one or more pattern rules, YARA rules, and Semgrep rules. The scanner (
bawbel-scanner, on PyPI) loads the catalog at runtime and dispatches to the right engine based on what's being scanned — source code, MCP server cards, prompt files, etc.Current catalog: 40 AVE records, 37 pattern rules, 39 YARA rules, 41 Semgrep rules. New entries go through a PR workflow with required fields, a repro case, and at least one detection rule before merge.
Full schema and contribution guide: bawbel.io/docs.