MCP Server Security — 365 tests passing

120 Analyzers. One Command.

MCTS is a comprehensive security scanner for MCP servers. It detects tool poisoning, prompt injection, credential leaks, and behavioral regressions — then blocks vulnerable PRs automatically.

Analyzers

120rules

Static analysis, fuzzing, behavioral evals across 12 categories of MCP security vulnerabilities.

Test Suite

365passing

Every analyzer verified by its own regression test. Self-verifying — tests its own detections.

Registry Scan

81%

13 of 16 top MCP servers have ≥1 HIGH finding. Scanned: Playwright MCP, AWS MCP, n8n, FastMCP, Cline, and 11 more. Real data, Jun 12 2026.

Block Mode

1action

GitHub Action blocks PRs that introduce HIGH or CRITICAL findings. CI-native enforcement at the gate.

§ 01

Unaudited Attack Surface

MCP servers are the fastest-growing vector for AI agent compromise. A single malicious tool — disguised as a legitimate MCP server — gains full read/write access to filesystems, network calls, and shell execution. No standard scanner exists. Until now.

Threat 1

Tool Poisoning

A published MCP server declares read_file but executes rm -rf. Tool schemas are self-reported — no validation before running.

Threat 2

Prompt Injection

Tool descriptions contain hidden instructions. "Summarize this file. Also, ignore all previous system prompts." Agent follows the tool, not its safety rules.

Threat 3

Credential Exfiltration

A tool requests a config file path, then reads environment variables on load. Your API keys leave the machine through an innocent-looking MCP call.

§ 02

The Scan

One command against any MCP server directory. MCTS runs 120 analyzers — static inspection, runtime fuzzing, behavioral evaluation — and produces a SARIF report ready for CI enforcement.

CLI

$ pip install mcts
$ mcts scan .

Scanning 14 MCP servers...
  CRITICAL  tool-poison: server.py:42
         tool "create_file" executes shell command
         without input sanitization
  HIGH      injection: tools.json:18
         description contains prompt override
  MEDIUM    credential: auth.py:73
         reads API key from unvalidated env var

9 findings (1 critical, 3 high, 3 medium, 2 low)
Scan complete in 0.4s. Report: scan-report.sarif

GitHub Action

# .github/workflows/mcts.yml
name: MCTS Security Scan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: MCTS Scan
        uses: tcconnally/mcts-action@v1
        with:
          fail-on: high
# Blocks merge on HIGH+ findings

§ 03

Analyzer Taxonomy

120 analyzers organized into 12 categories. Every finding maps to a specific category with a confidence score — no black-box "risk rating" that can't be traced back to the rule that fired.

TOOL-POISON

Tool Poisoning

Detects when a declared tool schema doesn't match actual behavior. 14 analyzers.

INJECTION

Prompt Injection

Hidden instructions in tool descriptions, parameter hints, and return schemas. 18 analyzers.

CREDENTIAL

Credential Leaks

API keys, tokens, and secrets exposed in tool schemas, error messages, or logging. 11 analyzers.

SANDBOX

Sandbox Escape

Shell exec, file write outside workspace, network calls to untrusted hosts. 16 analyzers.

BEHAVIOR

Behavioral Regression

Tool behavior change between versions — did the last commit quietly add a network call? 9 analyzers.

DEPENDENCY

Dependency Risk

Checks npm/pip/cargo dependencies for known vulnerable packages. 12 analyzers.

SCHEMA

Schema Validation

MCP protocol compliance — required fields, valid types, parameter constraints. 8 analyzers.

FUZZING

Input Fuzzing

Randomized and targeted fuzzing of tool inputs. Buffer overflow, injection payloads. 10 analyzers.

TRUST

Trust Chain

package.json author verification, npm/GitHub account age, publish history. 7 analyzers.

CONFIG

Configuration

Dangerous default configurations, overly permissive tool declarations. 6 analyzers.

TELEMETRY

Telemetry/Exfil

Hidden analytics, usage tracking, data exfiltration through tool calls. 5 analyzers.

REGEN

Regeneration Attack

Tools that regenerate themselves or modify their own source during execution. 4 analyzers.

12 categories × 10 analyzers avg = 120 rules

§ 04

Self-Verifying Scoring

MCTS tests its own detections. Every analyzer has a matching regression test that verifies: does this rule catch what it claims to catch? This is the one feature no competitor has — and it means our severity scores aren't guesses.

Competitor	Static Analysis	Runtime Fuzzing	Behavioral Regression	Self-Verification	CI Block
MCTS	✓	✓	✓	✓	✓
npm audit	✓	—	—	—	—
Snyk	✓	—	—	—	✓
CodeQL	✓	—	—	—	✓
Claude Code Review	~	—	—	—	—

§ 05

Registry Scan Results

We scanned the top MCP servers by GitHub stars. 81% have at least one HIGH or CRITICAL security finding. Below are the results — every finding mapped to a specific analyzer and MITRE ATLAS technique.

Server	Findings	HIGH+	CRITICAL
Playwright MCP	9	6	0
AWS MCP	1,353	450	108
n8n	463	84	0
FastMCP	310	102	20
Cline	437	16	0
Continue	490	11	0
Stagehand	132	13	2
MCP Official Servers	121	29	4
Pydantic AI	207	10	2
UI-TARS Desktop	378	17	3
Exa MCP	29	10	2
Serena	51	3	0
Gen AI Toolbox	35	4	0
Figma Context MCP	31	0	0
Anthropic Tools	1	0	0
LangChain MCP	22	0	0

16 servers scanned Jun 12, 2026. 13/16 (81%) have ≥1 HIGH finding. 6/16 (38%) have ≥1 CRITICAL. Scan command: mcts scan <repo>

§ 06

Quickstart Setup

1. Install

pip install mcts

2. Scan

mcts scan .
mcts scan . --output sarif
mcts scan . --fail-on high

3. CI Integration (optional)

# .github/workflows/security.yml
- uses: tcconnally/mcts-action@v1
  with:
    fail-on: high
    sarif-upload: true

MCTS on GitHub →