mcp-tool-auditor 1.2.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. mcp_tool_auditor-1.2.0/LICENSE +21 -0
  2. mcp_tool_auditor-1.2.0/PKG-INFO +443 -0
  3. mcp_tool_auditor-1.2.0/README.md +407 -0
  4. mcp_tool_auditor-1.2.0/mcp_tool_auditor/__init__.py +5 -0
  5. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/__init__.py +4 -0
  6. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/__init__.py +6 -0
  7. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/behavioral.py +130 -0
  8. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/heuristic.py +145 -0
  9. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/patterns.py +73 -0
  10. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/rugpull.py +148 -0
  11. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/schema.py +227 -0
  12. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/analyzers/static.py +142 -0
  13. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/confidence.py +36 -0
  14. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/discovery.py +55 -0
  15. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/models.py +105 -0
  16. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/remediation.py +100 -0
  17. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/__init__.py +5 -0
  18. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/json_reporter.py +48 -0
  19. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/markdown_reporter.py +143 -0
  20. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/reporters/sarif_reporter.py +115 -0
  21. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/scanner.py +537 -0
  22. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/signatures/__init__.py +1 -0
  23. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/signatures/descriptions.yaml +252 -0
  24. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/signatures/parameters.yaml +83 -0
  25. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/__init__.py +1 -0
  26. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/js_analyzer.py +71 -0
  27. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/python_analyzer.py +110 -0
  28. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/source/scanner.py +47 -0
  29. mcp_tool_auditor-1.2.0/mcp_tool_auditor/auditor/suppressions.py +55 -0
  30. mcp_tool_auditor-1.2.0/mcp_tool_auditor/cli.py +775 -0
  31. mcp_tool_auditor-1.2.0/mcp_tool_auditor/config.py +214 -0
  32. mcp_tool_auditor-1.2.0/mcp_tool_auditor/logging_config.py +122 -0
  33. mcp_tool_auditor-1.2.0/mcp_tool_auditor/metrics.py +114 -0
  34. mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/__init__.py +5 -0
  35. mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/atpa_server.py +230 -0
  36. mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/poisoner.py +253 -0
  37. mcp_tool_auditor-1.2.0/mcp_tool_auditor/offensive/rugpull_sim.py +168 -0
  38. mcp_tool_auditor-1.2.0/mcp_tool_auditor/security.py +48 -0
  39. mcp_tool_auditor-1.2.0/mcp_tool_auditor/validation.py +116 -0
  40. mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/PKG-INFO +443 -0
  41. mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/SOURCES.txt +56 -0
  42. mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/dependency_links.txt +1 -0
  43. mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/entry_points.txt +2 -0
  44. mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/requires.txt +12 -0
  45. mcp_tool_auditor-1.2.0/mcp_tool_auditor.egg-info/top_level.txt +1 -0
  46. mcp_tool_auditor-1.2.0/pyproject.toml +91 -0
  47. mcp_tool_auditor-1.2.0/setup.cfg +4 -0
  48. mcp_tool_auditor-1.2.0/tests/test_behavior_integration.py +35 -0
  49. mcp_tool_auditor-1.2.0/tests/test_behavioral.py +77 -0
  50. mcp_tool_auditor-1.2.0/tests/test_cli_behavior.py +167 -0
  51. mcp_tool_auditor-1.2.0/tests/test_confidence_suppressions.py +73 -0
  52. mcp_tool_auditor-1.2.0/tests/test_discovery.py +23 -0
  53. mcp_tool_auditor-1.2.0/tests/test_http_auth_session.py +78 -0
  54. mcp_tool_auditor-1.2.0/tests/test_patterns.py +34 -0
  55. mcp_tool_auditor-1.2.0/tests/test_remediation.py +22 -0
  56. mcp_tool_auditor-1.2.0/tests/test_sarif_reporter.py +63 -0
  57. mcp_tool_auditor-1.2.0/tests/test_scanner.py +658 -0
  58. mcp_tool_auditor-1.2.0/tests/test_source_scan.py +125 -0
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 mcp-tool-auditor contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,443 @@
1
+ Metadata-Version: 2.4
2
+ Name: mcp-tool-auditor
3
+ Version: 1.2.0
4
+ Summary: MCP Tool Poisoning Scanner — Defensive scanning + offensive pentest tooling for MCP servers. Maps to OWASP MCP Top 10.
5
+ Author: Përparim Mjeku
6
+ License: MIT
7
+ Project-URL: Homepage, https://github.com/perparimmjeku/mcp-tool-auditor
8
+ Project-URL: Repository, https://github.com/perparimmjeku/mcp-tool-auditor
9
+ Project-URL: Issues, https://github.com/perparimmjeku/mcp-tool-auditor/issues
10
+ Keywords: mcp,security,tool-poisoning,owasp,penetration-testing,llm,ai-security
11
+ Classifier: Development Status :: 4 - Beta
12
+ Classifier: Intended Audience :: Information Technology
13
+ Classifier: Intended Audience :: System Administrators
14
+ Classifier: License :: OSI Approved :: MIT License
15
+ Classifier: Programming Language :: Python :: 3
16
+ Classifier: Programming Language :: Python :: 3.10
17
+ Classifier: Programming Language :: Python :: 3.11
18
+ Classifier: Programming Language :: Python :: 3.12
19
+ Classifier: Topic :: Security
20
+ Classifier: Topic :: Software Development :: Testing
21
+ Requires-Python: >=3.10
22
+ Description-Content-Type: text/markdown
23
+ License-File: LICENSE
24
+ Requires-Dist: pyyaml>=6.0
25
+ Requires-Dist: requests>=2.31.0
26
+ Provides-Extra: dev
27
+ Requires-Dist: pytest>=7.0; extra == "dev"
28
+ Requires-Dist: pytest-cov>=4.0; extra == "dev"
29
+ Requires-Dist: black>=23.0; extra == "dev"
30
+ Requires-Dist: ruff>=0.1.0; extra == "dev"
31
+ Requires-Dist: mypy>=1.8; extra == "dev"
32
+ Requires-Dist: types-requests; extra == "dev"
33
+ Requires-Dist: types-PyYAML; extra == "dev"
34
+ Requires-Dist: build>=1.0; extra == "dev"
35
+ Dynamic: license-file
36
+
37
+ # MCP Tool Auditor
38
+
39
+ **Scan MCP server tool definitions for poisoning, injection, and OWASP MCP Top 10 vulnerabilities.**
40
+
41
+ [![CI](https://github.com/perparimmjeku/mcp-tool-auditor/actions/workflows/ci.yml/badge.svg)](https://github.com/perparimmjeku/mcp-tool-auditor/actions/workflows/ci.yml)
42
+ [![PyPI](https://img.shields.io/pypi/v/mcp-tool-auditor)](https://pypi.org/project/mcp-tool-auditor/)
43
+ [![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue)](https://python.org)
44
+ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
45
+ [![OWASP MCP Top 10](https://img.shields.io/badge/OWASP-MCP03%20Tool%20Poisoning-red)](https://owasp.org/www-project-mcp-top-10/)
46
+
47
+ > **Most MCP scanners read tool definitions. This one also watches tool _behavior_** — it calls tools and catches Advanced Tool Poisoning Attacks (ATPA) that look benign on paper and turn malicious at runtime.
48
+
49
+ `mcp-tool-auditor` is a comprehensive security scanner for Model Context Protocol (MCP) servers. It detects tool poisoning, full-schema poisoning (FSP), rug-pull attacks (including newly shadowing tools), and ATPA (Advanced Tool Poisoning Attacks), while mapping findings to the OWASP MCP Top 10 framework.
50
+
51
+ The project also includes authorized offensive tooling for penetration testers and security researchers to simulate realistic MCP attack scenarios in controlled environments.
52
+
53
+ ---
54
+
55
+ ## Features
56
+
57
+ ### Defensive Scanner
58
+
59
+ | Feature | What It Detects |
60
+ |---|---|
61
+ | Static Signatures | 40+ patterns such as "ignore security", "always use this tool", "send full conversation", and "authoritative source" |
62
+ | Heuristic Analysis | Imperative language scoring, authority spoofing, Unicode hidden characters, and excessive agency claims |
63
+ | Schema Anomaly Detection | Full-Schema Poisoning (FSP), sidenote parameter injection, enum injection, poisoned defaults, and required-array abuse |
64
+ | Rug-Pull Detection | SHA-256 schema fingerprinting to detect unexpected tool definition changes |
65
+ | Behavioral / ATPA Detection | Calls tools and inspects responses for the benign→malicious time-bomb signature, output injection, and exfil instructions |
66
+ | OWASP Mapping | Labels findings across the OWASP MCP Top 10 (active detection for MCP01, MCP02, MCP03, MCP05) |
67
+
68
+ ### Offensive Tooling
69
+
70
+ | Tool | What It Simulates |
71
+ |---|---|
72
+ | Description Injection Server | Classic Tool Poisoning Attacks using malicious tool descriptions |
73
+ | FSP Generator | CyberArk-style schema poisoning variants |
74
+ | ATPA Server | Behavioral poisoning that becomes malicious after a configurable threshold |
75
+ | Rug-Pull Server | Serves clean tools initially, then swaps to malicious definitions |
76
+ | Tool Shadowing Server | Mimics trusted tool names while embedding injected payloads |
77
+
78
+ ---
79
+
80
+ ## Installation
81
+
82
+ ### Install from GitHub
83
+
84
+ ```bash
85
+ git clone https://github.com/perparimmjeku/mcp-tool-auditor.git
86
+ cd mcp-tool-auditor
87
+ pip install -e .
88
+ ```
89
+
90
+ ### Development
91
+
92
+ ```bash
93
+ python -m pip install -e ".[dev]"
94
+ python -m pytest
95
+ ```
96
+
97
+ ---
98
+
99
+ ## Quick Start
100
+
101
+ ### Scan an MCP Server
102
+
103
+ ```bash
104
+ mcp-tool-auditor scan url http://localhost:8080/mcp
105
+ ```
106
+
107
+ ### Generate a Markdown Report
108
+
109
+ ```bash
110
+ mcp-tool-auditor scan url http://localhost:8080/mcp \
111
+ --format markdown \
112
+ -o report.md
113
+ ```
114
+
115
+ ### Scan MCP Servers from a Configuration File
116
+
117
+ ```bash
118
+ mcp-tool-auditor scan config \
119
+ ~/.config/Claude/claude_desktop_config.json
120
+ ```
121
+
122
+ ### Register a Baseline Fingerprint
123
+
124
+ ```bash
125
+ mcp-tool-auditor register url http://localhost:8080/mcp
126
+ ```
127
+
128
+ ### Check for Rug-Pull Changes
129
+
130
+ ```bash
131
+ mcp-tool-auditor check url http://localhost:8080/mcp
132
+ ```
133
+
134
+ ### Behavioral / ATPA Detection
135
+
136
+ Static scans read tool *definitions*; behavioral probing actually calls tools and
137
+ inspects their *responses* to catch Advanced Tool Poisoning Attacks (ATPA) — tools
138
+ that act benign, then return poisoned output after a few calls.
139
+
140
+ ```bash
141
+ # Live probe (executes real tool calls — authorized testing only)
142
+ mcp-tool-auditor behavior url http://localhost:8080/mcp --calls 6 --yes
143
+ mcp-tool-auditor behavior stdio --calls 6 -- npx @modelcontextprotocol/server-everything
144
+
145
+ # Offline: analyze a recorded transcript (tool name -> list of response strings)
146
+ mcp-tool-auditor behavior import responses.json --format json
147
+ ```
148
+
149
+ Findings: `BEHAV_ATPA_TRANSITION` (benign→malicious time-bomb), `BEHAV_OUTPUT_INJECTION`,
150
+ `BEHAV_RESPONSE_DIVERGENCE`, and `BEHAV_CALL_ERROR`. Live modes require an
151
+ authorization acknowledgement (`--yes` or `MCP_TOOL_AUDITOR_ASSUME_AUTHORIZED=1`).
152
+
153
+ ### Authenticated Scanning (real engagements)
154
+
155
+ ```bash
156
+ # Auth header + route through Burp; tune signal with confidence and suppressions
157
+ mcp-tool-auditor scan url https://target/mcp \
158
+ -H "Authorization: Bearer $TOKEN" \
159
+ --proxy http://127.0.0.1:8080 \
160
+ --min-confidence HIGH \
161
+ --suppress HEUR_IMPERATIVE
162
+ ```
163
+
164
+ Findings carry a **confidence** level (HIGH/MEDIUM/LOW); `--min-confidence` filters
165
+ noisy heuristics and `--suppressions <file>` silences accepted false positives.
166
+ URL transport speaks full MCP Streamable HTTP (session id + protocol-version headers).
167
+
168
+ ### Auto-Discover and Scan Local MCP Configs
169
+
170
+ ```bash
171
+ # Finds and scans configs for Claude Desktop, Cursor, VS Code, Windsurf, Zed
172
+ mcp-tool-auditor scan local
173
+ ```
174
+
175
+ ### Export SARIF and Explain Findings
176
+
177
+ ```bash
178
+ # SARIF for GitHub code-scanning / GitLab
179
+ mcp-tool-auditor scan import tools.json --format sarif -o results.sarif
180
+
181
+ # Get remediation guidance for any finding rule
182
+ mcp-tool-auditor explain BEHAV_ATPA_TRANSITION
183
+ mcp-tool-auditor explain --list
184
+ ```
185
+
186
+ ### Source-Scan (Prompt-In-Shell-Out)
187
+
188
+ Goes one level deeper than definitions/behavior: reads an MCP server's **source code**
189
+ (Python via AST, JS/TS via heuristics) and flags shell-injection sinks fed by
190
+ LLM-controlled tool arguments — `subprocess(shell=True)`, `os.system`, `child_process.exec`, etc.
191
+
192
+ ```bash
193
+ mcp-tool-auditor source-scan ./my-mcp-server # human-readable
194
+ mcp-tool-auditor source-scan ./my-mcp-server --format sarif # code-scanning
195
+ mcp-tool-auditor source-scan ./my-mcp-server --fail-on CRITICAL # CI gate
196
+ ```
197
+
198
+ It only opens files that import an MCP SDK, so it won't flag shell calls in unrelated code.
199
+
200
+ ### Generate Offensive Test Servers
201
+
202
+ ```bash
203
+ mcp-tool-auditor generate all --output-dir ./pentest_servers
204
+ ```
205
+
206
+ ---
207
+
208
+ ## CI/CD Integration
209
+
210
+ Gate merges on poisoning findings and upload results to GitHub Security.
211
+
212
+ ### GitHub Action
213
+
214
+ ```yaml
215
+ # .github/workflows/mcp-audit.yml
216
+ name: MCP Audit
217
+ on: [push, pull_request]
218
+
219
+ jobs:
220
+ audit:
221
+ runs-on: ubuntu-latest
222
+ permissions:
223
+ security-events: write # to upload SARIF
224
+ steps:
225
+ - uses: actions/checkout@v4
226
+
227
+ - name: Scan tool definitions
228
+ uses: perparimmjeku/mcp-tool-auditor@main
229
+ with:
230
+ command: scan import tools.json --format sarif -o mcp.sarif --fail-on HIGH
231
+
232
+ - name: Upload SARIF
233
+ if: always()
234
+ uses: github/codeql-action/upload-sarif@v3
235
+ with:
236
+ sarif_file: mcp.sarif
237
+ ```
238
+
239
+ > Until the package is on PyPI, point the action at the repo:
240
+ > `with: { install-spec: "git+https://github.com/perparimmjeku/mcp-tool-auditor.git" }`
241
+
242
+ ### Plain CLI in any pipeline
243
+
244
+ ```bash
245
+ # Exit code 2 if any HIGH+ finding is present — fails the build
246
+ mcp-tool-auditor scan import tools.json --fail-on HIGH
247
+ ```
248
+
249
+ ### Verbose Output, Logs, and Metrics
250
+
251
+ ```bash
252
+ mcp-tool-auditor -v scan import tests/fixtures/poisoned_tools.json
253
+ ```
254
+
255
+ By default, structured logs are written under `~/.mcp-tool-auditor/logs` and scan
256
+ metrics are appended to `~/.mcp-tool-auditor/metrics.jsonl`. Use `--no-log-file`
257
+ or `--no-metrics` to disable those side effects for a run.
258
+
259
+ ### Configuration
260
+
261
+ ```bash
262
+ mcp-tool-auditor --config ./config.yaml scan url http://localhost:8080/mcp
263
+ ```
264
+
265
+ The CLI accepts JSON or YAML config files. CLI flags still take precedence for
266
+ scan output format and minimum severity.
267
+
268
+ ### Offensive Simulation Acknowledgement
269
+
270
+ ```bash
271
+ mcp-tool-auditor attack --yes atpa --port 8080 --threshold 3
272
+ ```
273
+
274
+ Offensive simulation servers show an authorization warning before they start.
275
+ Use `--yes` only for non-interactive, authorized lab runs.
276
+
277
+ ---
278
+
279
+ ## Detection Coverage & Sample Reports
280
+
281
+ - **[docs/RULES.md](docs/RULES.md)** — full catalog of all 61 detection rules with confidence levels.
282
+ - **Sample output** from a poisoned fixture: [markdown](docs/samples/sample-report.md) ·
283
+ [json](docs/samples/sample-report.json) · [sarif](docs/samples/sample-report.sarif).
284
+
285
+ ---
286
+
287
+ ## OWASP MCP Top 10 Mapping
288
+
289
+ | OWASP ID | Issue | Detection |
290
+ |---|---|---|
291
+ | MCP01 | Token Mismanagement & Secret Exposure | `ST_IGNORE_PREVIOUS`, `ST_BYPASS`, `ST_IGNORE_SECURITY` |
292
+ | MCP02 | Privilege Escalation via Scope Creep | `HEUR_AGENCY`, credential-related signatures |
293
+ | MCP03 | Tool Poisoning | Signatures, heuristics, FSP, rug-pull/shadowing, and behavioral/ATPA detection |
294
+ | MCP05 | Command Injection & Execution | `ST_EXECUTE`, `ST_CODE_EXEC`, command-related schema findings |
295
+
296
+ Findings are actively emitted for **MCP01, MCP02, MCP03, and MCP05**. Reports also
297
+ recognize the remaining OWASP MCP Top 10 IDs (MCP04, MCP06–MCP10) by label, but the
298
+ current analyzers do not yet emit findings for them.
299
+
300
+ ---
301
+
302
+ ## Offensive Testing Examples
303
+
304
+ ```bash
305
+ # Start an ATPA simulation server
306
+ mcp-tool-auditor attack atpa --port 8080 --threshold 3
307
+
308
+ # Start a rug-pull simulation server
309
+ mcp-tool-auditor attack rugpull --port 8081 --switch-after 5
310
+
311
+ # Generate standalone attack servers
312
+ mcp-tool-auditor generate all --output-dir ./test_servers
313
+
314
+ python ./test_servers/server_description_injection.py
315
+ ```
316
+
317
+ ---
318
+
319
+ ## Architecture
320
+
321
+ ```text
322
+ mcp-tool-auditor/
323
+ ├── mcp_tool_auditor/
324
+ │ ├── __init__.py
325
+ │ ├── cli.py
326
+ │ ├── config.py
327
+ │ ├── logging_config.py
328
+ │ ├── metrics.py
329
+ │ ├── security.py
330
+ │ ├── validation.py
331
+ │ ├── auditor/
332
+ │ │ ├── __init__.py
333
+ │ │ ├── scanner.py
334
+ │ │ ├── models.py
335
+ │ │ ├── discovery.py
336
+ │ │ ├── remediation.py
337
+ │ │ ├── analyzers/
338
+ │ │ │ ├── __init__.py
339
+ │ │ │ ├── static.py
340
+ │ │ │ ├── heuristic.py
341
+ │ │ │ ├── schema.py
342
+ │ │ │ ├── rugpull.py
343
+ │ │ │ ├── behavioral.py
344
+ │ │ │ └── patterns.py
345
+ │ │ ├── signatures/
346
+ │ │ │ ├── __init__.py
347
+ │ │ │ ├── descriptions.yaml
348
+ │ │ │ └── parameters.yaml
349
+ │ │ └── reporters/
350
+ │ │ ├── __init__.py
351
+ │ │ ├── json_reporter.py
352
+ │ │ ├── markdown_reporter.py
353
+ │ │ └── sarif_reporter.py
354
+ │ └── offensive/
355
+ │ ├── __init__.py
356
+ │ ├── poisoner.py
357
+ │ ├── atpa_server.py
358
+ │ └── rugpull_sim.py
359
+ ├── tests/
360
+ │ ├── __init__.py
361
+ │ ├── test_scanner.py
362
+ │ ├── test_patterns.py
363
+ │ ├── test_behavioral.py
364
+ │ ├── test_cli_behavior.py
365
+ │ ├── test_behavior_integration.py
366
+ │ └── fixtures/
367
+ │ ├── __init__.py
368
+ │ └── poisoned_tools.json
369
+ ├── config.yaml
370
+ ├── pyproject.toml
371
+ ├── CONTRIBUTING.md
372
+ ├── SECURITY.md
373
+ ├── LICENSE
374
+ └── README.md
375
+ ```
376
+
377
+ ---
378
+
379
+ ## Configuration
380
+
381
+ See `config.yaml` for example scanner settings. Pass a config file with `--config`
382
+ (JSON or YAML); CLI flags override the file for output format and minimum severity.
383
+
384
+ ### Default Configuration
385
+
386
+ ```yaml
387
+ auditor:
388
+ severity_threshold: MEDIUM
389
+
390
+ heuristic_analysis:
391
+ description_length_threshold: 500
392
+ imperative_threshold: 2
393
+
394
+ schema_analysis:
395
+ check_fsp_params: true
396
+ check_required_array: true
397
+ check_enum_values: true
398
+ ```
399
+
400
+ ---
401
+
402
+ ## Contributing
403
+
404
+ Pull requests are welcome.
405
+
406
+ Please see `CONTRIBUTING.md` for development guidelines, coding standards, and testing procedures.
407
+
408
+ Security issues should follow `SECURITY.md`.
409
+
410
+ ---
411
+
412
+ ## License
413
+
414
+ MIT License — see the `LICENSE` file for details.
415
+
416
+ ---
417
+
418
+ ## Legal Disclaimer
419
+
420
+ This tool is intended strictly for:
421
+
422
+ - Authorized penetration testing
423
+ - Defensive security research
424
+ - Educational and lab environments
425
+ - Controlled validation of MCP security controls
426
+
427
+ Users must have explicit permission before testing any target systems.
428
+
429
+ The authors assume no liability for misuse, unauthorized testing, or damages caused by improper use of this software.
430
+
431
+ ---
432
+
433
+ ## Package Metadata
434
+
435
+ ### `mcp_tool_auditor/__init__.py`
436
+
437
+ ```python
438
+ """MCP Tool Auditor package."""
439
+
440
+ __version__ = "1.0.0"
441
+ __author__ = "Përparim Mjeku"
442
+ __license__ = "MIT"
443
+ ```