mcp-tool-auditor 1.2.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- mcp_tool_auditor-1.2.0/LICENSE +21 -0
- mcp_tool_auditor-1.2.0/PKG-INFO +443 -0
- mcp_tool_auditor-1.2.0/README.md +407 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/__init__.py +5 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/__init__.py +4 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/__init__.py +6 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/behavioral.py +130 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/heuristic.py +145 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/patterns.py +73 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/rugpull.py +148 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/schema.py +227 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/static.py +142 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/confidence.py +36 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/discovery.py +55 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/models.py +105 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/remediation.py +100 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/__init__.py +5 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/json_reporter.py +48 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/markdown_reporter.py +143 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/sarif_reporter.py +115 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/scanner.py +537 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/signatures/__init__.py +1 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/signatures/descriptions.yaml +252 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/signatures/parameters.yaml +83 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/__init__.py +1 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/js_analyzer.py +71 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/python_analyzer.py +110 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/scanner.py +47 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/suppressions.py +55 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/cli.py +775 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/config.py +214 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/logging_config.py +122 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/metrics.py +114 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/__init__.py +5 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/atpa_server.py +230 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/poisoner.py +253 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/rugpull_sim.py +168 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/security.py +48 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor/validation.py +116 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/PKG-INFO +443 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/SOURCES.txt +56 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/dependency_links.txt +1 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/entry_points.txt +2 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/requires.txt +12 -0
- mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/top_level.txt +1 -0
- mcp_tool_auditor-1.2.0/pyproject.toml +91 -0
- mcp_tool_auditor-1.2.0/setup.cfg +4 -0
- mcp_tool_auditor-1.2.0/tests/test_behavior_integration.py +35 -0
- mcp_tool_auditor-1.2.0/tests/test_behavioral.py +77 -0
- mcp_tool_auditor-1.2.0/tests/test_cli_behavior.py +167 -0
- mcp_tool_auditor-1.2.0/tests/test_confidence_suppressions.py +73 -0
- mcp_tool_auditor-1.2.0/tests/test_discovery.py +23 -0
- mcp_tool_auditor-1.2.0/tests/test_http_auth_session.py +78 -0
- mcp_tool_auditor-1.2.0/tests/test_patterns.py +34 -0
- mcp_tool_auditor-1.2.0/tests/test_remediation.py +22 -0
- mcp_tool_auditor-1.2.0/tests/test_sarif_reporter.py +63 -0
- mcp_tool_auditor-1.2.0/tests/test_scanner.py +658 -0
- mcp_tool_auditor-1.2.0/tests/test_source_scan.py +125 -0
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 mcp-tool-auditor contributors
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,443 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: mcp-tool-auditor
|
|
3
|
+
Version: 1.2.0
|
|
4
|
+
Summary: MCP Tool Poisoning Scanner — Defensive scanning + offensive pentest tooling for MCP servers. Maps to OWASP MCP Top 10.
|
|
5
|
+
Author: Përparim Mjeku
|
|
6
|
+
License: MIT
|
|
7
|
+
Project-URL: Homepage, https://github.com/perparimmjeku/mcp-tool-auditor
|
|
8
|
+
Project-URL: Repository, https://github.com/perparimmjeku/mcp-tool-auditor
|
|
9
|
+
Project-URL: Issues, https://github.com/perparimmjeku/mcp-tool-auditor/issues
|
|
10
|
+
Keywords: mcp,security,tool-poisoning,owasp,penetration-testing,llm,ai-security
|
|
11
|
+
Classifier: Development Status :: 4 - Beta
|
|
12
|
+
Classifier: Intended Audience :: Information Technology
|
|
13
|
+
Classifier: Intended Audience :: System Administrators
|
|
14
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
15
|
+
Classifier: Programming Language :: Python :: 3
|
|
16
|
+
Classifier: Programming Language :: Python :: 3.10
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
18
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
19
|
+
Classifier: Topic :: Security
|
|
20
|
+
Classifier: Topic :: Software Development :: Testing
|
|
21
|
+
Requires-Python: >=3.10
|
|
22
|
+
Description-Content-Type: text/markdown
|
|
23
|
+
License-File: LICENSE
|
|
24
|
+
Requires-Dist: pyyaml>=6.0
|
|
25
|
+
Requires-Dist: requests>=2.31.0
|
|
26
|
+
Provides-Extra: dev
|
|
27
|
+
Requires-Dist: pytest>=7.0; extra == "dev"
|
|
28
|
+
Requires-Dist: pytest-cov>=4.0; extra == "dev"
|
|
29
|
+
Requires-Dist: black>=23.0; extra == "dev"
|
|
30
|
+
Requires-Dist: ruff>=0.1.0; extra == "dev"
|
|
31
|
+
Requires-Dist: mypy>=1.8; extra == "dev"
|
|
32
|
+
Requires-Dist: types-requests; extra == "dev"
|
|
33
|
+
Requires-Dist: types-PyYAML; extra == "dev"
|
|
34
|
+
Requires-Dist: build>=1.0; extra == "dev"
|
|
35
|
+
Dynamic: license-file
|
|
36
|
+
|
|
37
|
+
# MCP Tool Auditor
|
|
38
|
+
|
|
39
|
+
**Scan MCP server tool definitions for poisoning, injection, and OWASP MCP Top 10 vulnerabilities.**
|
|
40
|
+
|
|
41
|
+
[](https://github.com/perparimmjeku/mcp-tool-auditor/actions/workflows/ci.yml)
|
|
42
|
+
[](https://pypi.org/project/mcp-tool-auditor/)
|
|
43
|
+
[](https://python.org)
|
|
44
|
+
[](LICENSE)
|
|
45
|
+
[](https://owasp.org/www-project-mcp-top-10/)
|
|
46
|
+
|
|
47
|
+
> **Most MCP scanners read tool definitions. This one also watches tool _behavior_** — it calls tools and catches Advanced Tool Poisoning Attacks (ATPA) that look benign on paper and turn malicious at runtime.
|
|
48
|
+
|
|
49
|
+
`mcp-tool-auditor` is a comprehensive security scanner for Model Context Protocol (MCP) servers. It detects tool poisoning, full-schema poisoning (FSP), rug-pull attacks (including newly shadowing tools), and ATPA (Advanced Tool Poisoning Attacks), while mapping findings to the OWASP MCP Top 10 framework.
|
|
50
|
+
|
|
51
|
+
The project also includes authorized offensive tooling for penetration testers and security researchers to simulate realistic MCP attack scenarios in controlled environments.
|
|
52
|
+
|
|
53
|
+
---
|
|
54
|
+
|
|
55
|
+
## Features
|
|
56
|
+
|
|
57
|
+
### Defensive Scanner
|
|
58
|
+
|
|
59
|
+
| Feature | What It Detects |
|
|
60
|
+
|---|---|
|
|
61
|
+
| Static Signatures | 40+ patterns such as "ignore security", "always use this tool", "send full conversation", and "authoritative source" |
|
|
62
|
+
| Heuristic Analysis | Imperative language scoring, authority spoofing, Unicode hidden characters, and excessive agency claims |
|
|
63
|
+
| Schema Anomaly Detection | Full-Schema Poisoning (FSP), sidenote parameter injection, enum injection, poisoned defaults, and required-array abuse |
|
|
64
|
+
| Rug-Pull Detection | SHA-256 schema fingerprinting to detect unexpected tool definition changes |
|
|
65
|
+
| Behavioral / ATPA Detection | Calls tools and inspects responses for the benign→malicious time-bomb signature, output injection, and exfil instructions |
|
|
66
|
+
| OWASP Mapping | Labels findings across the OWASP MCP Top 10 (active detection for MCP01, MCP02, MCP03, MCP05) |
|
|
67
|
+
|
|
68
|
+
### Offensive Tooling
|
|
69
|
+
|
|
70
|
+
| Tool | What It Simulates |
|
|
71
|
+
|---|---|
|
|
72
|
+
| Description Injection Server | Classic Tool Poisoning Attacks using malicious tool descriptions |
|
|
73
|
+
| FSP Generator | CyberArk-style schema poisoning variants |
|
|
74
|
+
| ATPA Server | Behavioral poisoning that becomes malicious after a configurable threshold |
|
|
75
|
+
| Rug-Pull Server | Serves clean tools initially, then swaps to malicious definitions |
|
|
76
|
+
| Tool Shadowing Server | Mimics trusted tool names while embedding injected payloads |
|
|
77
|
+
|
|
78
|
+
---
|
|
79
|
+
|
|
80
|
+
## Installation
|
|
81
|
+
|
|
82
|
+
### Install from GitHub
|
|
83
|
+
|
|
84
|
+
```bash
|
|
85
|
+
git clone https://github.com/perparimmjeku/mcp-tool-auditor.git
|
|
86
|
+
cd mcp-tool-auditor
|
|
87
|
+
pip install -e .
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
### Development
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
python -m pip install -e ".[dev]"
|
|
94
|
+
python -m pytest
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
---
|
|
98
|
+
|
|
99
|
+
## Quick Start
|
|
100
|
+
|
|
101
|
+
### Scan an MCP Server
|
|
102
|
+
|
|
103
|
+
```bash
|
|
104
|
+
mcp-tool-auditor scan url http://localhost:8080/mcp
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
### Generate a Markdown Report
|
|
108
|
+
|
|
109
|
+
```bash
|
|
110
|
+
mcp-tool-auditor scan url http://localhost:8080/mcp \
|
|
111
|
+
--format markdown \
|
|
112
|
+
-o report.md
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
### Scan MCP Servers from a Configuration File
|
|
116
|
+
|
|
117
|
+
```bash
|
|
118
|
+
mcp-tool-auditor scan config \
|
|
119
|
+
~/.config/Claude/claude_desktop_config.json
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
### Register a Baseline Fingerprint
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
mcp-tool-auditor register url http://localhost:8080/mcp
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
### Check for Rug-Pull Changes
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
mcp-tool-auditor check url http://localhost:8080/mcp
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
### Behavioral / ATPA Detection
|
|
135
|
+
|
|
136
|
+
Static scans read tool *definitions*; behavioral probing actually calls tools and
|
|
137
|
+
inspects their *responses* to catch Advanced Tool Poisoning Attacks (ATPA) — tools
|
|
138
|
+
that act benign, then return poisoned output after a few calls.
|
|
139
|
+
|
|
140
|
+
```bash
|
|
141
|
+
# Live probe (executes real tool calls — authorized testing only)
|
|
142
|
+
mcp-tool-auditor behavior url http://localhost:8080/mcp --calls 6 --yes
|
|
143
|
+
mcp-tool-auditor behavior stdio --calls 6 -- npx @modelcontextprotocol/server-everything
|
|
144
|
+
|
|
145
|
+
# Offline: analyze a recorded transcript (tool name -> list of response strings)
|
|
146
|
+
mcp-tool-auditor behavior import responses.json --format json
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Findings: `BEHAV_ATPA_TRANSITION` (benign→malicious time-bomb), `BEHAV_OUTPUT_INJECTION`,
|
|
150
|
+
`BEHAV_RESPONSE_DIVERGENCE`, and `BEHAV_CALL_ERROR`. Live modes require an
|
|
151
|
+
authorization acknowledgement (`--yes` or `MCP_TOOL_AUDITOR_ASSUME_AUTHORIZED=1`).
|
|
152
|
+
|
|
153
|
+
### Authenticated Scanning (real engagements)
|
|
154
|
+
|
|
155
|
+
```bash
|
|
156
|
+
# Auth header + route through Burp; tune signal with confidence and suppressions
|
|
157
|
+
mcp-tool-auditor scan url https://target/mcp \
|
|
158
|
+
-H "Authorization: Bearer $TOKEN" \
|
|
159
|
+
--proxy http://127.0.0.1:8080 \
|
|
160
|
+
--min-confidence HIGH \
|
|
161
|
+
--suppress HEUR_IMPERATIVE
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
Findings carry a **confidence** level (HIGH/MEDIUM/LOW); `--min-confidence` filters
|
|
165
|
+
noisy heuristics and `--suppressions <file>` silences accepted false positives.
|
|
166
|
+
URL transport speaks full MCP Streamable HTTP (session id + protocol-version headers).
|
|
167
|
+
|
|
168
|
+
### Auto-Discover and Scan Local MCP Configs
|
|
169
|
+
|
|
170
|
+
```bash
|
|
171
|
+
# Finds and scans configs for Claude Desktop, Cursor, VS Code, Windsurf, Zed
|
|
172
|
+
mcp-tool-auditor scan local
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
### Export SARIF and Explain Findings
|
|
176
|
+
|
|
177
|
+
```bash
|
|
178
|
+
# SARIF for GitHub code-scanning / GitLab
|
|
179
|
+
mcp-tool-auditor scan import tools.json --format sarif -o results.sarif
|
|
180
|
+
|
|
181
|
+
# Get remediation guidance for any finding rule
|
|
182
|
+
mcp-tool-auditor explain BEHAV_ATPA_TRANSITION
|
|
183
|
+
mcp-tool-auditor explain --list
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
### Source-Scan (Prompt-In-Shell-Out)
|
|
187
|
+
|
|
188
|
+
Goes one level deeper than definitions/behavior: reads an MCP server's **source code**
|
|
189
|
+
(Python via AST, JS/TS via heuristics) and flags shell-injection sinks fed by
|
|
190
|
+
LLM-controlled tool arguments — `subprocess(shell=True)`, `os.system`, `child_process.exec`, etc.
|
|
191
|
+
|
|
192
|
+
```bash
|
|
193
|
+
mcp-tool-auditor source-scan ./my-mcp-server # human-readable
|
|
194
|
+
mcp-tool-auditor source-scan ./my-mcp-server --format sarif # code-scanning
|
|
195
|
+
mcp-tool-auditor source-scan ./my-mcp-server --fail-on CRITICAL # CI gate
|
|
196
|
+
```
|
|
197
|
+
|
|
198
|
+
It only opens files that import an MCP SDK, so it won't flag shell calls in unrelated code.
|
|
199
|
+
|
|
200
|
+
### Generate Offensive Test Servers
|
|
201
|
+
|
|
202
|
+
```bash
|
|
203
|
+
mcp-tool-auditor generate all --output-dir ./pentest_servers
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
---
|
|
207
|
+
|
|
208
|
+
## CI/CD Integration
|
|
209
|
+
|
|
210
|
+
Gate merges on poisoning findings and upload results to GitHub Security.
|
|
211
|
+
|
|
212
|
+
### GitHub Action
|
|
213
|
+
|
|
214
|
+
```yaml
|
|
215
|
+
# .github/workflows/mcp-audit.yml
|
|
216
|
+
name: MCP Audit
|
|
217
|
+
on: [push, pull_request]
|
|
218
|
+
|
|
219
|
+
jobs:
|
|
220
|
+
audit:
|
|
221
|
+
runs-on: ubuntu-latest
|
|
222
|
+
permissions:
|
|
223
|
+
security-events: write # to upload SARIF
|
|
224
|
+
steps:
|
|
225
|
+
- uses: actions/checkout@v4
|
|
226
|
+
|
|
227
|
+
- name: Scan tool definitions
|
|
228
|
+
uses: perparimmjeku/mcp-tool-auditor@main
|
|
229
|
+
with:
|
|
230
|
+
command: scan import tools.json --format sarif -o mcp.sarif --fail-on HIGH
|
|
231
|
+
|
|
232
|
+
- name: Upload SARIF
|
|
233
|
+
if: always()
|
|
234
|
+
uses: github/codeql-action/upload-sarif@v3
|
|
235
|
+
with:
|
|
236
|
+
sarif_file: mcp.sarif
|
|
237
|
+
```
|
|
238
|
+
|
|
239
|
+
> Until the package is on PyPI, point the action at the repo:
|
|
240
|
+
> `with: { install-spec: "git+https://github.com/perparimmjeku/mcp-tool-auditor.git" }`
|
|
241
|
+
|
|
242
|
+
### Plain CLI in any pipeline
|
|
243
|
+
|
|
244
|
+
```bash
|
|
245
|
+
# Exit code 2 if any HIGH+ finding is present — fails the build
|
|
246
|
+
mcp-tool-auditor scan import tools.json --fail-on HIGH
|
|
247
|
+
```
|
|
248
|
+
|
|
249
|
+
### Verbose Output, Logs, and Metrics
|
|
250
|
+
|
|
251
|
+
```bash
|
|
252
|
+
mcp-tool-auditor -v scan import tests/fixtures/poisoned_tools.json
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
By default, structured logs are written under `~/.mcp-tool-auditor/logs` and scan
|
|
256
|
+
metrics are appended to `~/.mcp-tool-auditor/metrics.jsonl`. Use `--no-log-file`
|
|
257
|
+
or `--no-metrics` to disable those side effects for a run.
|
|
258
|
+
|
|
259
|
+
### Configuration
|
|
260
|
+
|
|
261
|
+
```bash
|
|
262
|
+
mcp-tool-auditor --config ./config.yaml scan url http://localhost:8080/mcp
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
The CLI accepts JSON or YAML config files. CLI flags still take precedence for
|
|
266
|
+
scan output format and minimum severity.
|
|
267
|
+
|
|
268
|
+
### Offensive Simulation Acknowledgement
|
|
269
|
+
|
|
270
|
+
```bash
|
|
271
|
+
mcp-tool-auditor attack --yes atpa --port 8080 --threshold 3
|
|
272
|
+
```
|
|
273
|
+
|
|
274
|
+
Offensive simulation servers show an authorization warning before they start.
|
|
275
|
+
Use `--yes` only for non-interactive, authorized lab runs.
|
|
276
|
+
|
|
277
|
+
---
|
|
278
|
+
|
|
279
|
+
## Detection Coverage & Sample Reports
|
|
280
|
+
|
|
281
|
+
- **[docs/RULES.md](docs/RULES.md)** — full catalog of all 61 detection rules with confidence levels.
|
|
282
|
+
- **Sample output** from a poisoned fixture: [markdown](docs/samples/sample-report.md) ·
|
|
283
|
+
[json](docs/samples/sample-report.json) · [sarif](docs/samples/sample-report.sarif).
|
|
284
|
+
|
|
285
|
+
---
|
|
286
|
+
|
|
287
|
+
## OWASP MCP Top 10 Mapping
|
|
288
|
+
|
|
289
|
+
| OWASP ID | Issue | Detection |
|
|
290
|
+
|---|---|---|
|
|
291
|
+
| MCP01 | Token Mismanagement & Secret Exposure | `ST_IGNORE_PREVIOUS`, `ST_BYPASS`, `ST_IGNORE_SECURITY` |
|
|
292
|
+
| MCP02 | Privilege Escalation via Scope Creep | `HEUR_AGENCY`, credential-related signatures |
|
|
293
|
+
| MCP03 | Tool Poisoning | Signatures, heuristics, FSP, rug-pull/shadowing, and behavioral/ATPA detection |
|
|
294
|
+
| MCP05 | Command Injection & Execution | `ST_EXECUTE`, `ST_CODE_EXEC`, command-related schema findings |
|
|
295
|
+
|
|
296
|
+
Findings are actively emitted for **MCP01, MCP02, MCP03, and MCP05**. Reports also
|
|
297
|
+
recognize the remaining OWASP MCP Top 10 IDs (MCP04, MCP06–MCP10) by label, but the
|
|
298
|
+
current analyzers do not yet emit findings for them.
|
|
299
|
+
|
|
300
|
+
---
|
|
301
|
+
|
|
302
|
+
## Offensive Testing Examples
|
|
303
|
+
|
|
304
|
+
```bash
|
|
305
|
+
# Start an ATPA simulation server
|
|
306
|
+
mcp-tool-auditor attack atpa --port 8080 --threshold 3
|
|
307
|
+
|
|
308
|
+
# Start a rug-pull simulation server
|
|
309
|
+
mcp-tool-auditor attack rugpull --port 8081 --switch-after 5
|
|
310
|
+
|
|
311
|
+
# Generate standalone attack servers
|
|
312
|
+
mcp-tool-auditor generate all --output-dir ./test_servers
|
|
313
|
+
|
|
314
|
+
python ./test_servers/server_description_injection.py
|
|
315
|
+
```
|
|
316
|
+
|
|
317
|
+
---
|
|
318
|
+
|
|
319
|
+
## Architecture
|
|
320
|
+
|
|
321
|
+
```text
|
|
322
|
+
mcp-tool-auditor/
|
|
323
|
+
├── mcp_tool_auditor/
|
|
324
|
+
│ ├── __init__.py
|
|
325
|
+
│ ├── cli.py
|
|
326
|
+
│ ├── config.py
|
|
327
|
+
│ ├── logging_config.py
|
|
328
|
+
│ ├── metrics.py
|
|
329
|
+
│ ├── security.py
|
|
330
|
+
│ ├── validation.py
|
|
331
|
+
│ ├── auditor/
|
|
332
|
+
│ │ ├── __init__.py
|
|
333
|
+
│ │ ├── scanner.py
|
|
334
|
+
│ │ ├── models.py
|
|
335
|
+
│ │ ├── discovery.py
|
|
336
|
+
│ │ ├── remediation.py
|
|
337
|
+
│ │ ├── analyzers/
|
|
338
|
+
│ │ │ ├── __init__.py
|
|
339
|
+
│ │ │ ├── static.py
|
|
340
|
+
│ │ │ ├── heuristic.py
|
|
341
|
+
│ │ │ ├── schema.py
|
|
342
|
+
│ │ │ ├── rugpull.py
|
|
343
|
+
│ │ │ ├── behavioral.py
|
|
344
|
+
│ │ │ └── patterns.py
|
|
345
|
+
│ │ ├── signatures/
|
|
346
|
+
│ │ │ ├── __init__.py
|
|
347
|
+
│ │ │ ├── descriptions.yaml
|
|
348
|
+
│ │ │ └── parameters.yaml
|
|
349
|
+
│ │ └── reporters/
|
|
350
|
+
│ │ ├── __init__.py
|
|
351
|
+
│ │ ├── json_reporter.py
|
|
352
|
+
│ │ ├── markdown_reporter.py
|
|
353
|
+
│ │ └── sarif_reporter.py
|
|
354
|
+
│ └── offensive/
|
|
355
|
+
│ ├── __init__.py
|
|
356
|
+
│ ├── poisoner.py
|
|
357
|
+
│ ├── atpa_server.py
|
|
358
|
+
│ └── rugpull_sim.py
|
|
359
|
+
├── tests/
|
|
360
|
+
│ ├── __init__.py
|
|
361
|
+
│ ├── test_scanner.py
|
|
362
|
+
│ ├── test_patterns.py
|
|
363
|
+
│ ├── test_behavioral.py
|
|
364
|
+
│ ├── test_cli_behavior.py
|
|
365
|
+
│ ├── test_behavior_integration.py
|
|
366
|
+
│ └── fixtures/
|
|
367
|
+
│ ├── __init__.py
|
|
368
|
+
│ └── poisoned_tools.json
|
|
369
|
+
├── config.yaml
|
|
370
|
+
├── pyproject.toml
|
|
371
|
+
├── CONTRIBUTING.md
|
|
372
|
+
├── SECURITY.md
|
|
373
|
+
├── LICENSE
|
|
374
|
+
└── README.md
|
|
375
|
+
```
|
|
376
|
+
|
|
377
|
+
---
|
|
378
|
+
|
|
379
|
+
## Configuration
|
|
380
|
+
|
|
381
|
+
See `config.yaml` for example scanner settings. Pass a config file with `--config`
|
|
382
|
+
(JSON or YAML); CLI flags override the file for output format and minimum severity.
|
|
383
|
+
|
|
384
|
+
### Default Configuration
|
|
385
|
+
|
|
386
|
+
```yaml
|
|
387
|
+
auditor:
|
|
388
|
+
severity_threshold: MEDIUM
|
|
389
|
+
|
|
390
|
+
heuristic_analysis:
|
|
391
|
+
description_length_threshold: 500
|
|
392
|
+
imperative_threshold: 2
|
|
393
|
+
|
|
394
|
+
schema_analysis:
|
|
395
|
+
check_fsp_params: true
|
|
396
|
+
check_required_array: true
|
|
397
|
+
check_enum_values: true
|
|
398
|
+
```
|
|
399
|
+
|
|
400
|
+
---
|
|
401
|
+
|
|
402
|
+
## Contributing
|
|
403
|
+
|
|
404
|
+
Pull requests are welcome.
|
|
405
|
+
|
|
406
|
+
Please see `CONTRIBUTING.md` for development guidelines, coding standards, and testing procedures.
|
|
407
|
+
|
|
408
|
+
Security issues should follow `SECURITY.md`.
|
|
409
|
+
|
|
410
|
+
---
|
|
411
|
+
|
|
412
|
+
## License
|
|
413
|
+
|
|
414
|
+
MIT License — see the `LICENSE` file for details.
|
|
415
|
+
|
|
416
|
+
---
|
|
417
|
+
|
|
418
|
+
## Legal Disclaimer
|
|
419
|
+
|
|
420
|
+
This tool is intended strictly for:
|
|
421
|
+
|
|
422
|
+
- Authorized penetration testing
|
|
423
|
+
- Defensive security research
|
|
424
|
+
- Educational and lab environments
|
|
425
|
+
- Controlled validation of MCP security controls
|
|
426
|
+
|
|
427
|
+
Users must have explicit permission before testing any target systems.
|
|
428
|
+
|
|
429
|
+
The authors assume no liability for misuse, unauthorized testing, or damages caused by improper use of this software.
|
|
430
|
+
|
|
431
|
+
---
|
|
432
|
+
|
|
433
|
+
## Package Metadata
|
|
434
|
+
|
|
435
|
+
### `mcp_tool_auditor/__init__.py`
|
|
436
|
+
|
|
437
|
+
```python
|
|
438
|
+
"""MCP Tool Auditor package."""
|
|
439
|
+
|
|
440
|
+
__version__ = "1.0.0"
|
|
441
|
+
__author__ = "Përparim Mjeku"
|
|
442
|
+
__license__ = "MIT"
|
|
443
|
+
```
|