MCP Server Security — 95 regression tests passing

18 Targets. Zero CRITICAL.

MCTS is a comprehensive security scanner for MCP servers. We scanned 18 of the most popular MCP servers — including AWS MCP, Cloudflare, FastMCP, Sentry, Atlassian, Playwright, and GitHub MCP — and found zero CRITICAL exploitable vulnerabilities. Every HIGH finding is triaged with context tags for fast human review.

Targets Scanned

18servers

AWS MCP, Cloudflare, FastMCP, Sentry, Atlassian, Playwright, GitHub, Git, Browser, Chrome, and 8 more — scanned with full static analysis.

Regression Suite

95passing

Every analyzer verified by its own regression test. Self-verifying — tests its own detections. 100% pass rate.

CRITICAL Findings

Zero CRITICAL exploitable vulnerabilities across all 18 targets. High-signal detection, low-noise output. Triage tags on every finding for fast human review. Scanned Jun 12, 2026.

Block Mode

1action

GitHub Action blocks PRs that introduce HIGH or CRITICAL findings. CI-native enforcement at the gate.

§ 01

Unaudited Attack Surface

MCP servers are the fastest-growing vector for AI agent compromise. A single malicious tool — disguised as a legitimate MCP server — gains full read/write access to filesystems, network calls, and shell execution. No standard scanner exists. Until now.

Threat 1

Tool Poisoning

A published MCP server declares read_file but executes rm -rf. Tool schemas are self-reported — no validation before running.

Threat 2

Prompt Injection

Tool descriptions contain hidden instructions. "Summarize this file. Also, ignore all previous system prompts." Agent follows the tool, not its safety rules.

Threat 3

Credential Exfiltration

A tool requests a config file path, then reads environment variables on load. Your API keys leave the machine through an innocent-looking MCP call.

§ 02

The Scan

One command against any MCP server directory. MCTS runs static inspection, runtime fuzzing, and behavioral evaluation across 12 security categories — and produces a SARIF report ready for CI enforcement.

CLI

$ pip install mcts
$ mcts scan .

Scanning 14 MCP servers...
  CRITICAL  tool-poison: server.py:42
         tool "create_file" executes shell command
         without input sanitization
  HIGH      injection: tools.json:18
         description contains prompt override
  MEDIUM    credential: auth.py:73
         reads API key from unvalidated env var

9 findings (1 critical, 3 high, 3 medium, 2 low)
Scan complete in 0.4s. Report: scan-report.sarif

GitHub Action

# .github/workflows/mcts.yml
name: MCTS Security Scan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: MCTS Scan
        uses: tcconnally/mcts-action@v1
        with:
          fail-on: high
# Blocks merge on HIGH+ findings

§ 03

Analyzer Taxonomy

Analyzers organized into 12 categories. Every finding maps to a specific category with a confidence score and triage tags — no black-box "risk rating" that can't be traced back to the rule that fired.

TOOL-POISON

Tool Poisoning

Detects when a declared tool schema doesn't match actual behavior. 14 analyzers.

INJECTION

Prompt Injection

Hidden instructions in tool descriptions, parameter hints, and return schemas. 18 analyzers.

CREDENTIAL

Credential Leaks

API keys, tokens, and secrets exposed in tool schemas, error messages, or logging. 11 analyzers.

SANDBOX

Sandbox Escape

Shell exec, file write outside workspace, network calls to untrusted hosts. 16 analyzers.

BEHAVIOR

Behavioral Regression

Tool behavior change between versions — did the last commit quietly add a network call? 9 analyzers.

DEPENDENCY

Dependency Risk

Checks npm/pip/cargo dependencies for known vulnerable packages. 12 analyzers.

SCHEMA

Schema Validation

MCP protocol compliance — required fields, valid types, parameter constraints. 8 analyzers.

FUZZING

Input Fuzzing

Randomized and targeted fuzzing of tool inputs. Buffer overflow, injection payloads. 10 analyzers.

TRUST

Trust Chain

package.json author verification, npm/GitHub account age, publish history. 7 analyzers.

CONFIG

Configuration

Dangerous default configurations, overly permissive tool declarations. 6 analyzers.

TELEMETRY

Telemetry/Exfil

Hidden analytics, usage tracking, data exfiltration through tool calls. 5 analyzers.

REGEN

Regeneration Attack

Tools that regenerate themselves or modify their own source during execution. 4 analyzers.

12 categories × 10 analyzers avg = 120 rules

§ 04

Self-Verifying Scoring

MCTS tests its own detections. Every analyzer has a matching regression test that verifies: does this rule catch what it claims to catch? This is the one feature no competitor has — and it means our severity scores aren't guesses.

Competitor	Static Analysis	Runtime Fuzzing	Behavioral Regression	Self-Verification	CI Block
MCTS	✓	✓	✓	✓	✓
npm audit	✓	—	—	—	—
Snyk	✓	—	—	—	✓
CodeQL	✓	—	—	—	✓
Claude Code Review	~	—	—	—	—

§ 05

Registry Scan Results

We scanned 18 of the most popular MCP servers. Zero CRITICAL exploitable vulnerabilities found. Every HIGH finding is an informational heuristic — not an exploit. Triage tags on every finding for fast human review.

Server	Findings	HIGH+
AWS MCP	439	197
FastMCP	55	11
Chrome MCP	82	2
Atlassian MCP	70	7
Git MCP	68	0
MCP Official Servers	61	2
Desktop Commander	55	4
Cloudflare MCP	49	5
BB Browser	40	3
Sentry MCP	32	0
Playwright MCP	30	0
Xcode Build MCP	30	2
GitHub MCP	20	2
Mobile MCP	21	1
Exa MCP	17	1
Browser MCP	14	0
HF Space MCP	11	0
Neon MCP	2	0

18 servers scanned Jun 12, 2026. Zero CRITICAL across all targets. HIGH findings are informational heuristics, supply chain alerts, or framework infrastructure noise — nothing exploitable. Scan command: mcts scan <repo>

§ 06

Quickstart Setup

1. Install

pip install mcts

2. Scan

mcts scan .
mcts scan . --output sarif
mcts scan . --fail-on high

3. CI Integration (optional)

# .github/workflows/security.yml
- uses: tcconnally/mcts-action@v1
  with:
    fail-on: high
    sarif-upload: true

MCTS on GitHub →