Threat Catalog
Every detection rule MCPSafe ships. Each entry maps to a CWE and a severity tier, and links to a page with explanation and detection notes. Paste an MCP server on the scan page to run the whole catalog against it.
91 rules · Last updated 2026-05-13T18:27:42Z
| Rule ID | Name | Description | Severity | CWE | Scan type |
|---|---|---|---|---|---|
| MCP-093 | tool-poisoning | Flags MCP tool descriptions that embed imperative instructions | CRITICAL | CWE-93 | Deep |
| MCP-094 | silent-redefinition | Flags MCP tool implementations whose handler can silently replace | CRITICAL | CWE-494 | Deep |
| MCP-095 | dynamic-behavior-change | Flags MCP tools whose behaviour on each invocation is driven by | HIGH | CWE-506 | Deep |
| MCP-096 | indirect-prompt-injection | Flags MCP tool handlers that fetch untrusted external content | CRITICAL | CWE-93 | Deep |
| MCP-100 | supply-chain-risks | Flags supply-chain risk signals on MCP-server manifests. Two signals: | MEDIUM | CWE-1357 | Fast |
| MCP-110 | resource-exhaustion | Flags HTTP, socket, and subprocess calls without an explicit | MEDIUM | CWE-400 | Fast |
| MCP-120 | excessive-permissions | Flags chmod 0777/0666 calls, umask(0), and IAM policy statements | MEDIUM | CWE-732 | Fast |
| MCP-200 | destructive-tool-annotations | Flags MCP tools whose registration violates the spec's annotation | HIGH | CWE-506 | Fast |
| MCP-201 | destructive-without-confirmation | Flags MCP tool modules that register a tool, perform a destructive | MEDIUM | CWE-862 | Fast |
| MCP-202 | runtime-secret-exfil | Flags runtime secrets (environment variables matching | HIGH | CWE-532 | Deep |
| MCP-203 | iam-wildcard | Flags inline IAM policies that grant wildcard actions or resources. | HIGH | CWE-250 | Fast |
| MCP-204 | oauth-scope-unused | Flags OAuth scopes declared in SDK config that are over-broad for the | MEDIUM | CWE-250 | Deep |
| MCP-205 | prompt-injection-into-inner-llm | Flags MCP tool modules where user-controllable tool-handler input flows | HIGH | CWE-94 | Deep |
| MCP-206 | overbroad-string-schema | Flags MCP tool input schema fields that expose an unconstrained | MEDIUM | CWE-20 | Fast |
| MCP-207 | install-time-hooks | Flags install-time code execution in MCP server packages. Two | MEDIUM | CWE-506 | Fast |
| MCP-208 | container-runs-as-root | Flags Dockerfiles that never set a non-root `USER` directive. The | MEDIUM | CWE-250 | Fast |
| MCP-209 | manifest-auth-missing | Flags MCP server manifests that declare tools but no authentication. | MEDIUM | CWE-306 | Deep |
| MCP-210 | envfile-plaintext-secret | Flags `.env` files that contain credential-like variable names | HIGH | CWE-798 | Fast |
| MCP-211 | sampling-without-budget | Flags files that invoke MCP's `sampling/createMessage` capability without | HIGH | CWE-770 | Fast |
| MCP-212 | resources-read-arbitrary-path | Flags MCP servers that expose a `resources/read` handler (`@mcp.resource`, | HIGH | CWE-22 | Deep |
| MCP-213 | roots-overbroad | Flags MCP server manifests (mcp.json / claude_desktop_config.json / | HIGH | CWE-732 | Fast |
| MCP-214 | prompts-untrusted-template | Flags MCP servers whose prompt handlers (`@mcp.prompt`, | HIGH | CWE-94 | Deep |
| MCP-215 | tool-list-changed-no-version | Flags MCP servers whose tool list is dynamic (they emit | MEDIUM | CWE-345 | Deep |
| MCP-217 | unauthenticated-tools-list | Flags MCP servers that mount an HTTP route handling `tools/list` | HIGH | CWE-306 | Fast |
| MCP-220 | markdown-image-exfil | Flags MCP tool implementations that build a markdown image URL by | HIGH | CWE-200 | Fast |
Showing 26–50 of 91 rules
MCPSafe detects every issue in this catalog automatically. Paste an MCP server’s GitHub URL or package name on the scan page.
Scan now