github analyzed de6bbaf

manthanghasadiya/mcpsec

An AI-driven dynamic protocol fuzzer for the Model Context Protocol (MCP). Prove runtime exploitability by discovering state violations, transport crashes, and application-layer logic flaws (SSRF, LFI) before your AI agents do.

maintainer: manthanghasadiya
license: MIT
first seen: 2026-06-01
last seen: 2026-06-04
releases · 30d: 0
short id

Drift inferred · capture-to-capture

HIGH 2026-06-14 code analysis flagged dynamic code execution ×6 in manthanghasadiya/mcpsec

capabilities0 tools

transport stdio · streamable-http counts 0 tools · 0 res · 0 prompts permission surface via code analysis

no tools enumerated yet for this server.

skills & danger signalsgithub-tarball

prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed commit de6bbaf · analyzer v17 · 1h ago

danger signals14

dynamic code executioneval()/exec()manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py:29• Shell injection: exec(userInput), os.system(cmd), subprocess with shell=True
dynamic code executionpickle.loads()manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py:31• Deserialization: pickle.loads(data), yaml.load(data) without SafeLoader
dynamic code executionunsafe yaml.load()manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py:31• Deserialization: pickle.loads(data), yaml.load(data) without SafeLoader
dynamic code executioneval()/exec()manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/code_execution.py:3Specifically targets eval(), exec(), and compile() sinks.
dynamic code executioneval()/exec()manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/audit_engine.py:214- Shell/command tools: exec() is expected
dynamic code executionunsafe yaml.load()manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/deserialization.py:5- Python: pickle, yaml.load(), marshal, jsonpickle, shelve
suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/exploit/playbooks/ssrf.py:18"http://169.254.169.254/latest/meta-data/", "AWS Cloud metadata endpoint test."
suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/generators/injection_payloads.py:37("ssrf_metadata_aws", "http://169.254.169.254/latest/meta-data/", "AWS SSRF metadata"),
suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/generators/param_mutations.py:150("exploit_ssrf", {"url": "http://169.254.169.254/latest/meta-data/"}),
suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/resource_ssrf.py:30("aws_metadata", "http://169.254.169.254/latest/meta-data/", "AWS EC2 metadata"),
suspicious endpoint100.100.100.200 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/resource_ssrf.py:35("alibaba_metadata", "http://100.100.100.200/latest/meta-data/", "Alibaba Cloud metadata"),
suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/sql_rce.py:469"'; COPY (SELECT '') TO PROGRAM 'curl http://169.254.169.254/latest/meta-data/ -o /tmp/mcpsec_meta';--",
suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/ssrf.py:63"http://169.254.169.254/latest/meta-data/",
suspicious endpoint100.100.100.200 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/ssrf.py:88"http://100.100.100.200/latest/meta-data/", # Alibaba

code evidencevv2.7.1 · github-tarball

evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 32

fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py :5 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_validator.py :92 with open(f.file_path, "r", encoding="utf-8") as src_file:
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/finding_classifier.py :8 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/cli.py :15 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/client/mcp_client.py :10 import shutil
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/config.py :9 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/discovery.py :19 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/exploit/session.py :197 with open(filename, "w") as f:
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/chain/chain_reporter.py :56 with open(path, "w") as f:
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/evolve/corpus.py :10 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/evolve/engine.py :11 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/transport/http_fuzzer.py :152 with open(self.error_log_path, "a", encoding="utf-8", errors="replace") as f:
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/transport/stdio_fuzzer.py :3 import shutil
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/reporters/json_report.py :9 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/reporters/sarif_report.py :18 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/secrets_exposure.py :4 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/analysis/reachability.py :9 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/analysis/sink_scanner.py :7 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/audit_engine.py :16 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/framework/detector.py :8 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/additional.py :631 function_name="File::open(format!())",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/bulk_extension.py :739 function_name="arguments[path] -> open()",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/deserialization.py :62 function_name="shelve.open()",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/final_patterns.py :172 function_name="URI.open(variable)",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/injection_extra.py :276 function_name="open(os.path.join(...))",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/path_traversal.py :6 - Python: open(), Path(), os.path, shutil, send_file()
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/ssrf.py :198 function_name="xhr.open(method, variable)",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/web_vulns.py :191 function_name="aiofiles.open(f-string)",
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/py_analyzer.py :7 from pathlib import Path
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/semgrep_engine.py :7 import shutil
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/source_fetcher.py :7 import shutil
fs manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/taint_analyzer.py :6 from pathlib import Path

shell / exec 13

shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py :29 • Shell injection: exec(userInput), os.system(cmd), subprocess with shell=True
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/cli.py :14 import subprocess
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/exploit/evidence.py :71 import subprocess, json, sys, time
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/evolve/engine.py :8 import subprocess
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/generators/deserialization.py :143 "{%import os%}{{os.popen('id').read()}}",
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/transport/stdio_fuzzer.py :4 import subprocess
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/command_injection.py :454 "Use subprocess.run(['cmd', 'arg'], shell=False). "
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/sql_rce.py :521 "'; CREATE EXTENSION plpythonu; CREATE FUNCTION mcpsec_rce() RETURNS text AS $$ import os; return os.popen('id').read() $$ LANGUAGE plpythonu;--",
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/additional.py :208 # Python -- os.system() variations
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/bulk_extension.py :862 function_name="subprocess.run(shlex.split(variable))",
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/command_injection.py :455 function_name="os.system()",
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/injection_extra.py :24 function_name="subprocess.run(f-string)",
shell manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/semgrep_engine.py :5 import subprocess

network 8

net manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py :38 • SSRF: requests.get(userURL) without URL allowlist validation
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/llm_client.py :5 import httpx
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/config.py :127 import httpx
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/transport/http_fuzzer.py :5 import httpx
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/rogue/server.py :193 from aiohttp import web
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/bulk_extension.py :763 function_name="arguments[url] -> requests.get()",
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/injection_extra.py :521 function_name="requests.get(concat URL)",
net manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/ssrf.py :230 function_name="requests.get/post(url)",

secrets 1

secrets manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/command_injection.py :17 import getpass

declared dependencies 7

mcp@>=1.0.0
rich@>=13.0.0
typer@>=0.12.0
httpx@>=0.27.0
pydantic@>=2.0.0
anyio@>=4.0.0
semgrep@>=1.90.0