An AI-driven dynamic protocol fuzzer for the Model Context Protocol (MCP). Prove runtime exploitability by discovering state violations, transport crashes, and application-layer logic flaws (SSRF, LFI) before your AI agents do.
- capability exposureinferred+35
- recent driftinferred+12
- tool safetyinferred+12
- trust mitigatorsmixed−3
inferredmixed
The A–E grade is our heuristic synthesis — a "review this" prompt, not a verdict. Each factor is tagged by what backs it: attested (a verifiable record), reported (a third party's claim), or inferred (our own heuristic, e.g. permissions). See methodology.
graded 9m ago · see ecosystem CVEs →
- A · 0 → C · 56
no known CVEs for this server.
- highdangerous code
dynamic exec: eval()/exec(), pickle.loads(), unsafe yaml.load()
analyzed commit de6bbaf · analyzer v17 · 3h ago
danger signals14
- dynamic code executioneval()/exec()manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py:29
• Shell injection: exec(userInput), os.system(cmd), subprocess with shell=True - dynamic code executionpickle.loads()manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py:31
• Deserialization: pickle.loads(data), yaml.load(data) without SafeLoader - dynamic code executionunsafe yaml.load()manthanghasadiya-mcpsec-de6bbaf/mcpsec/ai/ai_taint_analyzer.py:31
• Deserialization: pickle.loads(data), yaml.load(data) without SafeLoader - dynamic code executioneval()/exec()manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/code_execution.py:3
Specifically targets eval(), exec(), and compile() sinks. - dynamic code executioneval()/exec()manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/audit_engine.py:214
- Shell/command tools: exec() is expected - dynamic code executionunsafe yaml.load()manthanghasadiya-mcpsec-de6bbaf/mcpsec/static/patterns/sinks/deserialization.py:5
- Python: pickle, yaml.load(), marshal, jsonpickle, shelve - suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/exploit/playbooks/ssrf.py:18
"http://169.254.169.254/latest/meta-data/", "AWS Cloud metadata endpoint test." - suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/generators/injection_payloads.py:37
("ssrf_metadata_aws", "http://169.254.169.254/latest/meta-data/", "AWS SSRF metadata"), - suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/fuzzer/generators/param_mutations.py:150
("exploit_ssrf", {"url": "http://169.254.169.254/latest/meta-data/"}), - suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/resource_ssrf.py:30
("aws_metadata", "http://169.254.169.254/latest/meta-data/", "AWS EC2 metadata"), - suspicious endpoint100.100.100.200 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/resource_ssrf.py:35
("alibaba_metadata", "http://100.100.100.200/latest/meta-data/", "Alibaba Cloud metadata"), - suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/sql_rce.py:469
"'; COPY (SELECT '') TO PROGRAM 'curl http://169.254.169.254/latest/meta-data/ -o /tmp/mcpsec_meta';--", - suspicious endpoint169.254.169.254 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/ssrf.py:63
"http://169.254.169.254/latest/meta-data/", - suspicious endpoint100.100.100.200 (cloud metadata)manthanghasadiya-mcpsec-de6bbaf/mcpsec/scanners/ssrf.py:88
"http://100.100.100.200/latest/meta-data/", # Alibaba
- recent drift+12 capability drift →
[](https://mcpobservatory.com/servers/github:manthanghasadiya/mcpsec/security) Heuristic, inferred signals — false positives (legitimately powerful tools, forks, language ports) are expected. Treat each as "review this", not a verdict. See the ecosystem-wide picture on the security hub, or the fleet security of manthanghasadiya.