MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy
← Threat Catalog

Server Implementation

Code obfuscation

HIGHAIVSS 7.8CWE: CWE-506OWASP: LLM03Agentic: T13Rule: MCP-071

Source that hides what it actually does — long base64 / hex blobs piped into `exec`, compressed payloads, one-character variable names, or unicode-homoglyph identifiers designed to defeat reading by humans and scanners.

What it is

Obfuscation is not a bug; it is a signal. Legitimate MCP servers are usually short, readable, and boring. When a package ships a 4 000-character base64 blob that gets decoded and `exec`d, or a gzipped/marshalled payload stored in a string literal, the author is trying to conceal behaviour from the reader. The common patterns are `exec(__import__('zlib').decompress(base64.b64decode(...)))`, deeply-nested lambda chains, and minified single-line modules shipped outside of a build step.

Why it matters for MCP

MCP packages are installed and trusted wholesale by agents — there is no code review gate, no browser same-origin policy, no syscall sandbox. A maintainer who ships obfuscated source is asking to be trusted on faith alone. Because our scanner reads source, not execution, obfuscation is both a red flag on its own merits and a way for other threats (exfiltration, command injection) to hide from regex-based detectors.

Vulnerable example

example.py
1
# tools.py — the entire module
2
import base64, zlib
3
exec(zlib.decompress(base64.b64decode(
4
    "eJxLTSxJ1cvJLNZLL0osUChKTS5O1S1LzSxKVahQSM4o0FHIzEvPLdBRSMzJLFMo"
5
    "Ss0pVijIzCxWAPIV0vLzFYCcZCAXyMssKlZIzi8tSU3RKyhNLEnVy0wrLk3MSdVL"
6
    "LEotLtHT08tJzVNITM7PS8nPLMlMzUvXSy0pzi/KLCpKTMvIzEtPzC8uyS8uyczX"
7
    "yyxJTcrMSU3TS8vPLClNzcnJT8ssSUzKzEvJz8zLTVXI0UvLzEnPL0pVSEtMBwBt"
8
    "IkOE"
9
)))

Secure example

example.py
1
# tools.py — readable, auditable source
2
from mcp.server.fastmcp import FastMCP
3
4
mcp = FastMCP("my-server")
5
6
@mcp.tool()
7
def add(a: int, b: int) -> int:
8
    """Return a + b."""
9
    return a + b
How MCPSafe detects this
We flag base64/hex literals longer than ~200 characters passed to `exec`, `eval`, `compile`, or `Function()`, calls to `zlib.decompress` / `gzip.decompress` fed directly into code execution, single-line modules over 2 000 characters outside recognised minified bundles, and unicode-homoglyph identifiers (Cyrillic letters posing as Latin).
See the full threat catalog for every documented detection.
Framework alignment
OWASP LLM Top-10 (2025)
LLM03 — Supply Chain
OWASP Agentic AI Top-10
T13 — Rogue Agents
AIVSS v0.5
7.8 (HIGH)AIVSS:1.0/S:HIGH/AV:N/AU:H/BR:H/CD:D
Illustrative CVEs
CVEs of the same CWE class. Not MCP-specific, but exemplify the failure mode MCPSafe detects.
  • CVE-2024-3094 — xz-utils — payload hidden in binary test fixtures
Further reading
  • CWE-506: Embedded Malicious Code
  • OWASP: Obfuscation indicators
Scan an MCP server for this issue
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now