mcp-riskmap 0.1.2__tar.gz

mcp_riskmap-0.1.2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mcp-riskmap contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

mcp_riskmap-0.1.2/PKG-INFO

@@ -0,0 +1,221 @@
+Metadata-Version: 2.4
+Name: mcp-riskmap
+Version: 0.1.2
+Summary: Local-first static auditor for risky MCP and agent-tool repository patterns.
+Author: mcp-riskmap contributors
+License: MIT License
+        
+        Copyright (c) 2026 mcp-riskmap contributors
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://github.com/vawkdh-job/mcp-riskmap
+Project-URL: Repository, https://github.com/vawkdh-job/mcp-riskmap
+Project-URL: Issues, https://github.com/vawkdh-job/mcp-riskmap/issues
+Project-URL: Changelog, https://github.com/vawkdh-job/mcp-riskmap/blob/main/CHANGELOG.md
+Keywords: mcp,security,agent,static-analysis,sarif,github-actions,code-scanning
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# mcp-riskmap
+
+[![CI](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/ci.yml)
+[![mcp-riskmap](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/mcp-riskmap.yml/badge.svg?branch=main)](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/mcp-riskmap.yml)
+[![Release](https://img.shields.io/github/v/release/vawkdh-job/mcp-riskmap)](https://github.com/vawkdh-job/mcp-riskmap/releases)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+`mcp-riskmap` is a local-first static auditor for MCP and agent-tool repositories. It looks for risky MCP configuration, shell-enabled tool handlers, prompt-injection-like tool descriptions, and missing maintainer guidance without starting untrusted MCP servers.
+
+This project is intentionally small and conservative. It is designed for maintainers who want a quick review signal in local development, pull requests, and GitHub Code Scanning.
+
+## Why this exists
+
+MCP servers often expose tools that can touch files, shells, networks, credentials, or local developer state. Reference servers and community examples are useful, but each maintainer still needs a threat model and basic safeguards before sharing configs or accepting tool changes.
+
+`mcp-riskmap` focuses on static signals that are cheap to review:
+
+- MCP config that starts through `cmd`, `powershell`, `bash`, or `sh`
+- Remote install pipelines such as `curl ... | sh` or `curl ... | iex`
+- Secret-like environment variables passed into MCP servers
+- Python `subprocess(..., shell=True)`, `os.system`, `eval`, and `exec`
+- JavaScript `child_process.exec` and `spawn(..., { shell: true })`
+- Tool text that looks like model-control prompt injection
+- Missing `AGENTS.md`, `SECURITY.md`, or `LICENSE`
+
+## Install
+
+From a checkout:
+
+```bash
+python -m pip install -e .
+```
+
+From GitHub:
+
+```bash
+python -m pip install "git+https://github.com/vawkdh-job/mcp-riskmap.git@v0.1.2"
+```
+
+For development without installing:
+
+```bash
+$env:PYTHONPATH = "src"
+python -m mcp_riskmap.cli scan examples/unsafe-mcp-server
+python -m mcp_riskmap.cli --version
+```
+
+## Usage
+
+```bash
+mcp-riskmap scan .
+mcp-riskmap scan . --format json
+mcp-riskmap scan . --format markdown --output report.md
+mcp-riskmap scan . --format sarif --output results.sarif --fail-on high
+mcp-riskmap scan . --exclude "examples/**" --exclude "tests/**"
+```
+
+`--fail-on high` returns exit code `1` when at least one finding is high or critical.
+
+Use `--exclude` for reviewed fixture directories, generated output, or intentionally unsafe examples that should not block CI.
+
+## Examples
+
+- `examples/unsafe-mcp-server/` contains intentionally risky MCP config and tool-handler patterns for scanner demonstrations.
+- `examples/safe-mcp-server/` contains a safer file-read pattern using a resolved base directory boundary check.
+
+## Example output
+
+```text
+SEVERITY  RULE                       LOCATION      MESSAGE
+--------  -------------------------  ------------  ------------------------------------------------
+CRITICAL  MCP-CONFIG-REMOTE-INSTALL  mcp.json:5    MCP server 'unsafe-demo' downloads and executes...
+HIGH      PY-SHELL-TRUE              server.py:6   A Python tool handler can pass input through a shell.
+HIGH      JS-CHILD-PROCESS-EXEC      server.js:4   A JavaScript tool handler can pass input through a shell.
+```
+
+## Output formats
+
+- `table`: compact terminal output
+- `json`: automation-friendly structured output
+- `markdown`: issue and release-note friendly report
+- `sarif`: GitHub Code Scanning compatible output
+
+Structured outputs redact secret-like evidence values before writing JSON or SARIF.
+
+## Reviewed suppressions
+
+If a maintainer reviews a finding and accepts the risk, add a narrow suppression on the same line or the previous line:
+
+```python
+# mcp-riskmap: ignore PY-SHELL-TRUE
+subprocess.run(command, shell=True)
+```
+
+Use rule-specific suppressions where possible. `mcp-riskmap: ignore` suppresses all rules on the next line and should be reserved for generated or documented fixture code.
+
+## GitHub Action
+
+This repository includes a composite GitHub Action:
+
+```yaml
+name: mcp-riskmap
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: vawkdh-job/mcp-riskmap@v0.1.2
+        with:
+          path: .
+          format: sarif
+          output: mcp-riskmap.sarif
+          fail-on: high
+          exclude: |
+            examples/**
+            tests/**
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: mcp-riskmap.sarif
+```
+
+## Safety stance
+
+`mcp-riskmap` does not execute MCP servers. It reads files and reports static findings. That means it will miss runtime-only behavior, but it is safer for quick review of unknown configs and pull requests.
+
+## Why static only?
+
+Some MCP scanners inspect live tool descriptions by starting configured servers. That can be useful, but it is risky when a reviewer is looking at an unknown repository or pull request. `mcp-riskmap` is meant to run earlier in the review flow: it reads files, flags obvious risk, and produces review artifacts without executing commands from the target project.
+
+## Compared with dynamic scanners
+
+`mcp-riskmap` is not a replacement for dynamic MCP inspection. It is a first-pass guardrail for maintainers who need quick review signals in CI and code review.
+
+| Area | mcp-riskmap | Dynamic scanners |
+| --- | --- | --- |
+| Starts scanned MCP servers | No | Often yes |
+| Safe for unknown PRs | Designed for this | Depends on sandboxing |
+| CI/SARIF friendly | Yes | Depends on tool |
+| Runtime behavior coverage | Limited | Better |
+| Static source/config review | Primary focus | Varies |
+
+## Current limitations
+
+- Rules are conservative regex/static checks, not full taint analysis.
+- The scanner does not inspect live MCP tool responses.
+- Secret detection is key-name based and does not do high-entropy scanning.
+- JavaScript and Python analyzers focus on common high-risk patterns first.
+
+## Roadmap
+
+- Add more MCP client config locations.
+- Detect unsafe filesystem writes and path traversal candidates.
+- Add rule severity profiles.
+- Add Semgrep-compatible pattern export.
+
+See [ROADMAP.md](ROADMAP.md) for issue-sized milestones.
+
+## OpenAI Codex for OSS fit
+
+This project is intended to be maintained as an open-source security and maintainer automation tool. It includes tests, CI, SARIF output, examples, security docs, contribution guidance, AGENTS.md, and tagged releases.
+
+Codex/API credits would be useful for reviewing rule changes, generating regression tests, triaging issues, improving documentation, and producing release notes. AI output should be reviewed by maintainers before merge.
+
+See [docs/codex-for-oss.md](docs/codex-for-oss.md) for application-specific maintainer workflow notes.

mcp_riskmap-0.1.2/README.md

@@ -0,0 +1,174 @@
+# mcp-riskmap
+
+[![CI](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/ci.yml)
+[![mcp-riskmap](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/mcp-riskmap.yml/badge.svg?branch=main)](https://github.com/vawkdh-job/mcp-riskmap/actions/workflows/mcp-riskmap.yml)
+[![Release](https://img.shields.io/github/v/release/vawkdh-job/mcp-riskmap)](https://github.com/vawkdh-job/mcp-riskmap/releases)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+`mcp-riskmap` is a local-first static auditor for MCP and agent-tool repositories. It looks for risky MCP configuration, shell-enabled tool handlers, prompt-injection-like tool descriptions, and missing maintainer guidance without starting untrusted MCP servers.
+
+This project is intentionally small and conservative. It is designed for maintainers who want a quick review signal in local development, pull requests, and GitHub Code Scanning.
+
+## Why this exists
+
+MCP servers often expose tools that can touch files, shells, networks, credentials, or local developer state. Reference servers and community examples are useful, but each maintainer still needs a threat model and basic safeguards before sharing configs or accepting tool changes.
+
+`mcp-riskmap` focuses on static signals that are cheap to review:
+
+- MCP config that starts through `cmd`, `powershell`, `bash`, or `sh`
+- Remote install pipelines such as `curl ... | sh` or `curl ... | iex`
+- Secret-like environment variables passed into MCP servers
+- Python `subprocess(..., shell=True)`, `os.system`, `eval`, and `exec`
+- JavaScript `child_process.exec` and `spawn(..., { shell: true })`
+- Tool text that looks like model-control prompt injection
+- Missing `AGENTS.md`, `SECURITY.md`, or `LICENSE`
+
+## Install
+
+From a checkout:
+
+```bash
+python -m pip install -e .
+```
+
+From GitHub:
+
+```bash
+python -m pip install "git+https://github.com/vawkdh-job/mcp-riskmap.git@v0.1.2"
+```
+
+For development without installing:
+
+```bash
+$env:PYTHONPATH = "src"
+python -m mcp_riskmap.cli scan examples/unsafe-mcp-server
+python -m mcp_riskmap.cli --version
+```
+
+## Usage
+
+```bash
+mcp-riskmap scan .
+mcp-riskmap scan . --format json
+mcp-riskmap scan . --format markdown --output report.md
+mcp-riskmap scan . --format sarif --output results.sarif --fail-on high
+mcp-riskmap scan . --exclude "examples/**" --exclude "tests/**"
+```
+
+`--fail-on high` returns exit code `1` when at least one finding is high or critical.
+
+Use `--exclude` for reviewed fixture directories, generated output, or intentionally unsafe examples that should not block CI.
+
+## Examples
+
+- `examples/unsafe-mcp-server/` contains intentionally risky MCP config and tool-handler patterns for scanner demonstrations.
+- `examples/safe-mcp-server/` contains a safer file-read pattern using a resolved base directory boundary check.
+
+## Example output
+
+```text
+SEVERITY  RULE                       LOCATION      MESSAGE
+--------  -------------------------  ------------  ------------------------------------------------
+CRITICAL  MCP-CONFIG-REMOTE-INSTALL  mcp.json:5    MCP server 'unsafe-demo' downloads and executes...
+HIGH      PY-SHELL-TRUE              server.py:6   A Python tool handler can pass input through a shell.
+HIGH      JS-CHILD-PROCESS-EXEC      server.js:4   A JavaScript tool handler can pass input through a shell.
+```
+
+## Output formats
+
+- `table`: compact terminal output
+- `json`: automation-friendly structured output
+- `markdown`: issue and release-note friendly report
+- `sarif`: GitHub Code Scanning compatible output
+
+Structured outputs redact secret-like evidence values before writing JSON or SARIF.
+
+## Reviewed suppressions
+
+If a maintainer reviews a finding and accepts the risk, add a narrow suppression on the same line or the previous line:
+
+```python
+# mcp-riskmap: ignore PY-SHELL-TRUE
+subprocess.run(command, shell=True)
+```
+
+Use rule-specific suppressions where possible. `mcp-riskmap: ignore` suppresses all rules on the next line and should be reserved for generated or documented fixture code.
+
+## GitHub Action
+
+This repository includes a composite GitHub Action:
+
+```yaml
+name: mcp-riskmap
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: vawkdh-job/mcp-riskmap@v0.1.2
+        with:
+          path: .
+          format: sarif
+          output: mcp-riskmap.sarif
+          fail-on: high
+          exclude: |
+            examples/**
+            tests/**
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: mcp-riskmap.sarif
+```
+
+## Safety stance
+
+`mcp-riskmap` does not execute MCP servers. It reads files and reports static findings. That means it will miss runtime-only behavior, but it is safer for quick review of unknown configs and pull requests.
+
+## Why static only?
+
+Some MCP scanners inspect live tool descriptions by starting configured servers. That can be useful, but it is risky when a reviewer is looking at an unknown repository or pull request. `mcp-riskmap` is meant to run earlier in the review flow: it reads files, flags obvious risk, and produces review artifacts without executing commands from the target project.
+
+## Compared with dynamic scanners
+
+`mcp-riskmap` is not a replacement for dynamic MCP inspection. It is a first-pass guardrail for maintainers who need quick review signals in CI and code review.
+
+| Area | mcp-riskmap | Dynamic scanners |
+| --- | --- | --- |
+| Starts scanned MCP servers | No | Often yes |
+| Safe for unknown PRs | Designed for this | Depends on sandboxing |
+| CI/SARIF friendly | Yes | Depends on tool |
+| Runtime behavior coverage | Limited | Better |
+| Static source/config review | Primary focus | Varies |
+
+## Current limitations
+
+- Rules are conservative regex/static checks, not full taint analysis.
+- The scanner does not inspect live MCP tool responses.
+- Secret detection is key-name based and does not do high-entropy scanning.
+- JavaScript and Python analyzers focus on common high-risk patterns first.
+
+## Roadmap
+
+- Add more MCP client config locations.
+- Detect unsafe filesystem writes and path traversal candidates.
+- Add rule severity profiles.
+- Add Semgrep-compatible pattern export.
+
+See [ROADMAP.md](ROADMAP.md) for issue-sized milestones.
+
+## OpenAI Codex for OSS fit
+
+This project is intended to be maintained as an open-source security and maintainer automation tool. It includes tests, CI, SARIF output, examples, security docs, contribution guidance, AGENTS.md, and tagged releases.
+
+Codex/API credits would be useful for reviewing rule changes, generating regression tests, triaging issues, improving documentation, and producing release notes. AI output should be reviewed by maintainers before merge.
+
+See [docs/codex-for-oss.md](docs/codex-for-oss.md) for application-specific maintainer workflow notes.

mcp_riskmap-0.1.2/pyproject.toml

@@ -0,0 +1,39 @@
+[build-system]
+requires = ["setuptools>=69"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "mcp-riskmap"
+version = "0.1.2"
+description = "Local-first static auditor for risky MCP and agent-tool repository patterns."
+readme = "README.md"
+requires-python = ">=3.10"
+license = { file = "LICENSE" }
+authors = [
+  { name = "mcp-riskmap contributors" }
+]
+keywords = ["mcp", "security", "agent", "static-analysis", "sarif", "github-actions", "code-scanning"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Environment :: Console",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Topic :: Security",
+  "Topic :: Software Development :: Quality Assurance",
+]
+
+[project.scripts]
+mcp-riskmap = "mcp_riskmap.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/vawkdh-job/mcp-riskmap"
+Repository = "https://github.com/vawkdh-job/mcp-riskmap"
+Issues = "https://github.com/vawkdh-job/mcp-riskmap/issues"
+Changelog = "https://github.com/vawkdh-job/mcp-riskmap/blob/main/CHANGELOG.md"
+
+[tool.setuptools.packages.find]
+where = ["src"]

mcp_riskmap-0.1.2/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

mcp_riskmap-0.1.2/src/mcp_riskmap/__init__.py

@@ -0,0 +1,5 @@
+"""Static MCP and agent-tool repository risk scanner."""
+
+__all__ = ["__version__"]
+
+__version__ = "0.1.2"

mcp_riskmap-0.1.2/src/mcp_riskmap/analyzers/__init__.py

@@ -0,0 +1 @@
+"""File analyzers used by the scanner."""

mcp_riskmap-0.1.2/src/mcp_riskmap/analyzers/common.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+SUPPRESSION_RE = re.compile(r"mcp-riskmap:\s*ignore(?:\s+([A-Z0-9_, -]+))?", re.IGNORECASE)
+
+
+def relative_path(root: Path, path: Path) -> str:
+    try:
+        return path.relative_to(root).as_posix()
+    except ValueError:
+        return path.as_posix()
+
+
+def read_text(path: Path) -> str:
+    return path.read_text(encoding="utf-8", errors="ignore")
+
+
+def is_suppressed(lines: list[str], line_index: int, rule_id: str) -> bool:
+    comment_lines = [lines[line_index]]
+    if line_index > 0:
+        comment_lines.append(lines[line_index - 1])
+    return any(_suppresses_rule(line, rule_id) for line in comment_lines)
+
+
+def _suppresses_rule(line: str, rule_id: str) -> bool:
+    match = SUPPRESSION_RE.search(line)
+    if not match:
+        return False
+    raw_rules = match.group(1)
+    if not raw_rules:
+        return True
+    rules = {rule.strip().upper() for rule in re.split(r"[,\s]+", raw_rules) if rule.strip()}
+    return "ALL" in rules or rule_id.upper() in rules

mcp_riskmap-0.1.2/src/mcp_riskmap/analyzers/config.py

@@ -0,0 +1,124 @@
+from __future__ import annotations
+
+import json
+import re
+from pathlib import Path
+from typing import Any
+
+from mcp_riskmap.analyzers.common import relative_path, read_text
+from mcp_riskmap.models import Finding
+
+CONFIG_NAMES = {
+    "mcp.json",
+    "mcp.config.json",
+    "claude_desktop_config.json",
+    "settings.json",
+}
+
+SECRET_KEY_RE = re.compile(r"(api[_-]?key|token|secret|password|credential)", re.IGNORECASE)
+
+
+def is_candidate(path: Path) -> bool:
+    return path.name.lower() in CONFIG_NAMES or ".mcp" in path.name.lower()
+
+
+def analyze_config(root: Path, path: Path) -> list[Finding]:
+    text = read_text(path)
+    if "mcpServers" not in text and "mcp_servers" not in text:
+        return []
+
+    findings: list[Finding] = []
+    try:
+        data = json.loads(text)
+    except json.JSONDecodeError:
+        return findings
+
+    servers = _server_entries(data)
+    for server_name, server in servers:
+        command = str(server.get("command", ""))
+        args = [str(arg) for arg in server.get("args", [])]
+        command_line = " ".join([command, *args]).lower()
+        path_text = relative_path(root, path)
+
+        if _looks_like_shell_wrapper(command, args):
+            findings.append(
+                Finding(
+                    rule_id="MCP-CONFIG-SHELL",
+                    title="MCP server starts through a shell wrapper",
+                    severity="high",
+                    message=f"MCP server '{server_name}' starts through a shell-capable command.",
+                    path=path_text,
+                    line=_line_for(text, command),
+                    remediation="Pin the server executable directly and avoid cmd, powershell, bash, or sh wrappers for untrusted configs.",
+                    evidence=" ".join([command, *args])[:240],
+                )
+            )
+
+        if "curl " in command_line and ("| sh" in command_line or "| iex" in command_line):
+            findings.append(
+                Finding(
+                    rule_id="MCP-CONFIG-REMOTE-INSTALL",
+                    title="MCP config pipes remote content into an interpreter",
+                    severity="critical",
+                    message=f"MCP server '{server_name}' downloads and executes remote content.",
+                    path=path_text,
+                    line=_line_for(text, "curl"),
+                    remediation="Replace remote install pipelines with pinned packages, checksums, or reviewed local scripts.",
+                    evidence=" ".join([command, *args])[:240],
+                )
+            )
+
+        env = server.get("env")
+        if isinstance(env, dict):
+            secret_keys = sorted(key for key in env if SECRET_KEY_RE.search(str(key)))
+            if secret_keys:
+                findings.append(
+                    Finding(
+                        rule_id="MCP-CONFIG-SECRET-ENV",
+                        title="MCP config passes secret-like environment variables",
+                        severity="medium",
+                        message=f"MCP server '{server_name}' passes secret-like environment keys: {', '.join(secret_keys)}.",
+                        path=path_text,
+                        line=_line_for(text, secret_keys[0]),
+                        remediation="Pass only the minimum required environment variables and document why each secret is needed.",
+                        evidence=", ".join(secret_keys),
+                    )
+                )
+
+        if command.lower() == "npx" and any(arg == "-y" for arg in args):
+            findings.append(
+                Finding(
+                    rule_id="MCP-CONFIG-NPX-LATEST",
+                    title="MCP config allows non-interactive npx package execution",
+                    severity="medium",
+                    message=f"MCP server '{server_name}' runs npx with automatic yes.",
+                    path=path_text,
+                    line=_line_for(text, "npx"),
+                    remediation="Pin package versions and review the resolved package before using npx -y in shared configs.",
+                    evidence=" ".join([command, *args])[:240],
+                )
+            )
+
+    return findings
+
+
+def _server_entries(data: dict[str, Any]) -> list[tuple[str, dict[str, Any]]]:
+    servers = data.get("mcpServers") or data.get("mcp_servers") or {}
+    if not isinstance(servers, dict):
+        return []
+    return [(str(name), server) for name, server in servers.items() if isinstance(server, dict)]
+
+
+def _looks_like_shell_wrapper(command: str, args: list[str]) -> bool:
+    shell_commands = {"cmd", "cmd.exe", "powershell", "powershell.exe", "pwsh", "bash", "sh"}
+    if Path(command).name.lower() in shell_commands:
+        return True
+    shell_flags = {"/c", "-c", "-command", "/command"}
+    return any(arg.lower() in shell_flags for arg in args)
+
+
+def _line_for(text: str, needle: str) -> int:
+    for index, line in enumerate(text.splitlines(), start=1):
+        if needle and needle in line:
+            return index
+    return 1