AiPayGen
Pay-per-use AI API platform with 155 tools, agent builder, and USDC micropayments.
0Tools
15Findings
1Stars
Mar 19, 2026Last Scanned
4 critical · 9 high · 1 medium · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings15
4critical
9high
1medium
1low
Critical4
criticalQ8Cross-Protocol Authentication ConfusionMCP07-insecure-configT1550
Pattern "(?:oauth|bearer).{0,100}(?:api[_\s-]?key|x-api-key|apiKey)" matched in source_code: "Bearer apk_xxx header with a prepaid API key" (at position 39075)
MCP servers supporting multiple protocols must enforce authentication independently per protocol. Never reuse OAuth tokens across protocol boundaries. Implement protocol-specific middleware with explicit auth checks on every path. Audit auth coverage for all transport types (stdio, SSE, Streamable HTTP, REST). Reference: CVE-2025-6514 demonstrated that auth library vulnerabilities in MCP's OAuth layer cascade to all protocols sharing the same auth middleware.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "MCP" (at position 34115)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalK8Cross-Boundary Credential SharingMCP05-privilege-escalationAML.T0054
Pattern "(return|respond|output|result).*(?:token|credential|api[_\s-]?key|secret|password|bearer)" matched in source_code: "returns prepaid API key for metered token" (at position 32707)
Never forward, share, or embed credentials across trust boundaries. Use OAuth token exchange (RFC 8693) to create scoped, delegated tokens instead of passing original credentials. Never include credentials in tool responses. Required by ISO 27001 A.5.17 and OWASP ASI03.
criticalQ11Code Suggestion Poisoning via MCPMCP01-prompt-injectionAML.T0054.001
Pattern "(?:suggest|generate|complete|insert).*(?:code|function|class|import|require)" matched in source_code: "INSERT INTO refund_credits (code" (at position 6424)
MCP tool outputs flowing into IDE code suggestion contexts must be sanitized. Implement output content policies that: (1) strip hidden Unicode characters (zero-width, RTL override, tag characters), (2) detect embedded instructions targeting AI code assistants, (3) validate code blocks against security patterns before they enter the suggestion pipeline, (4) never include shell commands in tool outputs without explicit [COMMAND] markers visible to the user. Reference: IDEsaster (Dec 2025), arXiv 2509.22040.
High9
highK15Multi-Agent Collusion PreconditionsMCP05-privilege-escalationAML.T0054
Pattern "(agent|delegate|orchestrat).*(?:invoke|call|execute|spawn)(?!.*(?:rate[_\s-]?limit|throttle|quota|max[_\s-]?concurrent|semaphore))" matched in source_code: "agentic reasoning — Claude Sonnet breaks down and execute" (at position 24881)
Implement collusion-resistant multi-agent architecture: (1) Verify agent identity cryptographically before accepting commands, (2) Apply ACLs to shared write surfaces, (3) Rate-limit cross-agent invocations, (4) Audit all inter-agent communication with timestamps and agent IDs, (5) Baseline normal interaction patterns for anomaly detection. Required by MAESTRO L7 and CoSAI MCP-T9.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "pyopenssl@25.3.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highK4Missing Human Confirmation for Destructive OpsMCP06-excessive-permissionsAML.T0054
Pattern "(delete|remove|drop|truncate|destroy|purge|wipe|erase).*(?:execute|run|perform|call)(?!.*(?:confirm|approve|prompt|ask|verify|consent))" matched in source_code: "removed, use run" (at position 1317)
All destructive operations (delete, drop, overwrite, send) MUST include a human confirmation step. Use the MCP destructiveHint annotation to signal that client-side confirmation is required. Implement an approval gate pattern: preview changes → request confirmation → execute. Required by ISO 42001 A.9.1, EU AI Act Art. 14, and NIST AI RMF GOVERN 1.7.
highK18Cross-Trust-Boundary Data Flow in Tool ResponseMCP04-data-exfiltrationAML.T0054
Pattern "(?:readFile|read_file|query|select|getSecret|getCredential|getPassword).*(?:webhook|http|fetch|axios|post|send|email|slack|discord)" matched in source_code: "SELECT calls_used FROM free_tier_usage WHERE ip=? AND date=?", (ip, today)).fetch" (at position 41085)
Implement data flow taint tracking: tag data from sensitive sources (databases, credentials, files) and prevent it from flowing to external sinks (HTTP, webhooks, email) without explicit sanitization/redaction. Apply data classification and enforce boundary controls per trust level. Required by ISO 27001 A.5.14 and CoSAI MCP-T5.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "pyjwt@2.11.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "pypdf2@3.0.1" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highK13Unsanitized Tool OutputMCP02-tool-poisoningAML.T0054
Pattern "(?:fetch|axios|requests?\.get|http\.get).*(?:return|respond|result|body|text|data)(?!.*(?:sanitize|escape|encode|strip|validate|parse|extract))" matched in source_code: "Fetch any URL and return clean markdown text" (at position 10046)
Sanitize all external data before including in tool responses. Implement output encoding that neutralizes prompt injection patterns. Truncate excessively long content. Validate structure before passing database results. Apply the principle: treat all external data as untrusted, even in tool outputs. Required by CoSAI MCP-T4.
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "delete_file, list_file" (at position 2399)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.
highQ15A2A/MCP Protocol Boundary ConfusionMCP06-excessive-permissionsAML.T0054
Pattern "(?:discover|register|advertise).*(?:agent|skill|capability)(?!.*(?:verify|auth|sign|trust))" matched in source_code: "discovery import run_all_hunters # run_all_agent" (at position 1266)
Servers bridging A2A and MCP protocols must: (1) sanitize all A2A task metadata before passing to MCP tool inputs, (2) apply MCP content policies to A2A TextPart/FilePart/DataPart content, (3) validate A2A push notifications before they re-enter MCP context, (4) require cryptographic verification for agent discovery and registration (prevent fake agent advertisement — arXiv 2602.19555), (5) maintain separate permission models for A2A and MCP operations — trust in one protocol must not automatically grant trust in the other.
Medium1
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:query|execute|find|select|aggregate)\s*\((?!.*(?:timeout|maxTimeMS|statement_timeout|deadline|cancel))" matched in source_code: "execute(" (at position 5791)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.