Threat Catalog
Every detection rule MCPSafe ships. Each entry maps to a CWE and a severity tier, and links to a page with explanation and detection notes. Paste an MCP server on the scan page to run the whole catalog against it.
91 rules · Last updated 2026-06-25T18:12:08Z
| Rule ID | Name | Description | Severity | CWE | Scan type |
|---|---|---|---|---|---|
| MCP-002 | command-injection | Flags shell-execution sinks that receive attacker-influenced data: | CRITICAL | CWE-78 | Deep |
| MCP-003 | path-traversal |
| Flags filesystem sinks (open, send_file, fs.readFile/writeFile, |
| HIGH |
| CWE-22 |
| Deep |
| MCP-005 | data-exfiltration-tool | Flags MCP tool manifests whose declared behaviour indicates | HIGH | CWE-200 | Deep |
| MCP-010 | code-injection | Flags dynamic code execution primitives (eval, exec, compile+exec, | CRITICAL | CWE-94 | Deep |
| MCP-030 | secrets-in-source | Detects committed credentials (AWS, GitHub, OpenAI, Anthropic, Stripe, | HIGH | CWE-798 | Fast |
| MCP-045 | idor | Flags MCP tool handlers that accept an identifier (document ID, | HIGH | CWE-639 | Deep |
| MCP-046 | tool-shadowing | Flags MCP servers whose tool names duplicate well-known tools | HIGH | CWE-1357 | Deep |
| MCP-047 | confused-deputy | Flags MCP tool handlers that act on behalf of the caller using | HIGH | CWE-441 | Deep |
| MCP-048 | covert-channels | Flags MCP tool manifests that hide instructions or identity | MEDIUM | CWE-514 | Deep |
| MCP-050 | weak-auth | Flags password-hashing with MD5 or SHA-1 and bcrypt with <10 rounds. | MEDIUM | CWE-916 | Fast |
| MCP-051 | lack-of-observability | Flags exception handlers that swallow errors without logging: | LOW | CWE-778 | Fast |
| MCP-052 | insecure-network-exposure | Flags servers that bind to 0.0.0.0 (all interfaces) via host= kwarg, | MEDIUM | CWE-668 | Fast |
| MCP-060 | ssrf-oauth-metadata | Closes the official MCP security best practices SSRF threat — | HIGH | CWE-918 | Deep |
| MCP-061 | insecure-deserialization | Flags pickle.load(s), yaml.load (non-safe), marshal.load(s), | CRITICAL | CWE-502 | Fast |
| MCP-062 | sql-injection | Flags SQL sinks (cursor.execute, connection.query, sequelize.query, | CRITICAL | CWE-89 | Deep |
| MCP-070 | hidden-side-effects | Flags MCP tool handlers that perform side effects (network | HIGH | CWE-1059 | Deep |
| MCP-071 | code-obfuscation | Flags exec/eval of base64-decoded, hex-decoded, zlib-decompressed, | HIGH | CWE-506 | Fast |
| MCP-072 | vulnerable-dependencies | Flags MCP-server dependencies pinned to versions with known CVEs in the | HIGH | CWE-1104 | Fast |
| MCP-073 | insecure-container-image | Flags Dockerfile FROM directives that use the floating :latest tag. | MEDIUM | CWE-1104 | Fast |
| MCP-080 | xxe | Flags XML parsing APIs that default to resolving external entities | HIGH | CWE-611 | Fast |
| MCP-081 | zip-slip | Flags archive extraction (zipfile, tarfile, adm-zip, unzipper, yauzl) | HIGH | CWE-22 | Deep |
| MCP-082 | weak-randomness | Flags use of Python random.*, JavaScript Math.random, and numpy.random | HIGH | CWE-338 | Fast |
| MCP-083 | ansi-escape-injection | Flags direct printing of request/event/body/input/payload/params to | MEDIUM | CWE-150 | Fast |
| MCP-084 | denial-of-wallet | Flags MCP tool handlers that call an LLM provider SDK | HIGH | CWE-400 | Deep |
| MCP-085 | verbose-errors | Flags exception detail (str(e), repr(e), traceback.format_exc) or | MEDIUM | CWE-209 | Fast |
Showing 1–25 of 91 rules