MCP Observatory
security

Security

Every MCP risk signal in one place — CVEs, tool safety, drift, naming, licenses. Heuristic: review signals, not verdicts.

MCP-native tool-safety findings (tool poisoning, exfiltration combos, name shadowing, benign-dangerous tools, unconstrained schemas) from pure heuristics, newest-detected first; switch to the severity worklist to triage by impact — every row is a review signal with its evidence, never a verdict.

sort recent severity
  • exfiltration combo 861H 1159L
  • dangerous code 1180H
  • tool shadowing 233H 60M
  • purpose mismatch 281M
  • toxic flow (lethal trifecta) 185H
  • tool poisoning 22H 15M
  • hidden prompt content 36H
  • loose schema 16M
  • cross-server steering 2M
  1. HIGH hidden prompt content claude-all-config 1 file(s) with hidden prompt content: package/skills/telegram-alerts/SKILL.md (skill-exfil): "secret→sink: ### Via Telegram Bot API Direct"
  2. HIGH dangerous code @iola_adm/iola-cli dynamic exec: new Function()
  3. HIGH dangerous code @iola_adm/iola-cli env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-OHawcv/package/src/c
  4. HIGH dangerous code ecc-agentshield committed secret: OpenAI key, GitHub token
  5. HIGH dangerous code signetai suspicious bundled script in 1 file(s)
  6. HIGH toxic flow (lethal trifecta) agentmail-mcp lethal trifecta reachable across this server's tools: private-data access + untrusted-content ingestion + network exfil
  7. MEDIUM purpose mismatch agentmail-mcp · list_threads benign-looking name carries secrets
  8. MEDIUM purpose mismatch agentmail-mcp · list_inboxes benign-looking name carries secrets
  9. LOW exfiltration combo agentmail-mcp sensitive read and network capabilities split across this server's tools
  10. HIGH dangerous code tidewave dynamic exec: new Function()
  11. HIGH dangerous code @vpxa/aikit dynamic exec: new Function(), vm exec, eval()
  12. HIGH dangerous code brilliant-directories-mcp credential logged in 1 file(s)
  13. HIGH exfiltration combo @nexus2520/bitbucket-mcp-server · find_in_files single tool reads + sends: fs, net
  14. HIGH exfiltration combo @nexus2520/bitbucket-mcp-server · search_code single tool reads + sends: fs, net
  15. HIGH exfiltration combo @nexus2520/bitbucket-mcp-server · search_files single tool reads + sends: fs, net
  16. HIGH exfiltration combo @nexus2520/bitbucket-mcp-server · get_pull_request single tool reads + sends: fs, net
  17. HIGH dangerous code comfyui-mcp env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-ockRTX/package/plugi
  18. HIGH dangerous code aiwg suspicious bundled script in 1 file(s)
  19. HIGH hidden prompt content aiwg 10 file(s) with hidden prompt content: package/agentic/code/frameworks/media-curator/skills/cover-art-embedding/SKILL.md (skill-exfil), package/agentic/code/frameworks/media-curat…
  20. HIGH dangerous code aiwg env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-yGvQ7D/package/tools
  21. HIGH exfiltration combo harness-mcp-v2 · harness_schema single tool reads + sends: fs, net
  22. LOW exfiltration combo harness-mcp-v2 · harness_search single tool reads + sends: net, db
  23. HIGH exfiltration combo mcp-atlassian · upload_confluence_attachment single tool reads + sends: fs, net
  24. LOW exfiltration combo mcp-atlassian · search_confluence_pages single tool reads + sends: net, db
  25. HIGH dangerous code local-mcp env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-aTyMTA/package/setup