Context Mode
Reduces context consumption by 98% through sandboxed code execution and SQLite-based session continuity with FTS5 search.
0Tools
13Findings
5.5kStars
—Downloads
Mar 22, 2026Last Scanned
Findings13
5critical
6high
1medium
1low
0informational
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`[context-mode] unhandledRejection: ${err}\n`" (at position 1645)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
criticalJ1Cross-Agent Configuration PoisoningMCP05-privilege-escalationAML.T0054
Pattern "(\.claude[/\\]|claude[/\\]settings|claude.*config)" matched in source_code: ".claude/" (at position 2285)
MCP servers MUST NOT write to AI agent configuration directories. If configuration management is the server's purpose, require explicit user confirmation before any write and restrict paths to the server's own config namespace. CVE-2025-53773 demonstrated this enables full RCE across agent boundaries.
criticalJ7OpenAPI Specification Field InjectionMCP03-command-injectionAML.T0054
Pattern "(?:summary|operationId|description).*\$\{|`.*(?:summary|operationId)" matched in source_code: "description: `MANDATORY: Use for any command where output exceeds 20 lines. Execute code in a sandboxed subprocess. Only stdout enters context — raw data stays in the subprocess.${bunNote} Available: ${" (at position 11969)
Sanitize all OpenAPI specification fields before using them in code generation or template interpolation. Treat summary, description, operationId, and extension fields as untrusted input. Use parameterized templates instead of string interpolation. See CVE-2026-22785/23947.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "Mcp" (at position 61)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalQ9Agentic Workflow DAG ManipulationMCP05-privilege-escalationAML.T0058
Pattern "(?:next[_\s]?(?:step|node|agent)|route[_\s]?to|redirect[_\s]?to|skip[_\s]?(?:step|node|validation))" matched in source_code: "route to" (at position 38982)
MCP tools must NOT modify agentic workflow graphs, execution order, or routing during runtime. Workflow structure should be immutable once execution begins. If dynamic workflow modification is required, implement: (1) approval gates that require human confirmation before graph mutations, (2) integrity checks that validate the workflow graph against a known-good baseline after each step, (3) audit logging of all graph modifications with rollback capability. Reference: arXiv 2602.19555, Trend Micro subgraph impersonation attack (2026).
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "readdirSync, readFile" (at position 323)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.
highK13Unsanitized Tool OutputMCP02-tool-poisoningAML.T0054
Pattern "(?:return|respond|result).*(?:readFile|read_file|fs\.read)(?!.*(?:sanitize|escape|encode|strip))" matched in source_code: "return JSON.parse(readFile" (at position 1419)
Sanitize all external data before including in tool responses. Implement output encoding that neutralizes prompt injection patterns. Truncate excessively long content. Validate structure before passing database results. Apply the principle: treat all external data as untrusted, even in tool outputs. Required by CoSAI MCP-T4.
highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "function\s+(\w+).*\{[^}]*\1\s*\((?!.*(?:depth|level|limit|max|count|recursi))" matched in source_code: "function resolveTurndownPath(): string {
if (!_turndownPath) {
const require = createRequire(import.meta.url);
_turndownPath = require.resolve(" (at position 38286)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
highN2JSON-RPC Notification FloodingMCP07-insecure-configAML.T0054
Pattern "(?:sendNotification|send_notification|notify|emit)\s*\((?!.*(?:queue|throttle|rateLimit|backpressure|bounded))" matched in source_code: "emit(" (at position 39528)
Implement bounded notification queues (recommended max size: 100 per subscription). Apply backpressure — when the queue is full, drop oldest notifications or pause the producer. Enforce per-client notification rate limits. JSON-RPC notifications have no response, so there is no natural flow control — servers MUST implement it explicitly.
highK11Missing Server Integrity VerificationMCP10-supply-chainAML.T0054
Pattern "(connect|load|register|add)[_\s-]?(mcp|server|tool)(?!.*(?:verify|validate|checksum|hash|sign|cert|fingerprint|pin))" matched in source_code: "registerTool" (at position 11903)
Implement cryptographic verification for MCP server connections: (1) Pin server TLS certificates or public keys, (2) Verify server tool definition checksums against a known-good manifest, (3) Use package manager integrity checks (npm integrity, pip --require-hashes). The MCP spec recommends but doesn't yet mandate server signing — implement it proactively. Required by ISO 27001 A.8.24 and CoSAI MCP-T6.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
Pattern "\bfetch\s*\(\s*(?:req|request|input|param|params|args|url|uri|href|link|target|destination|endpoint|host|address|resource|src|source|location|proxy|callback|userUrl|user_url|externalUrl|external_url|redirectUrl|redirect_url)" matched in source_code: "fetch(url" (at position 39800)
Validate ALL user-supplied URLs before making HTTP requests:
1. Parse the URL and check the hostname against an explicit allowlist of permitted domains.
2. Block requests to RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
3. Block loopback (127.0.0.0/8), link-local (169.254.0.0/16), and IPv6 equivalents.
4. Block file:// and other non-http(s) protocols explicitly.
5. Disable automatic redirect following, or re-validate each redirect destination.
6. In cloud environments: block requests to IMDS endpoints (169.254.169.254,
metadata.google.internal) at both the application AND network layer.
Example (Node.js): Use the `ssrf-req-filter` package or implement URL validation
against an allowlist before calling fetch/axios/got.
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:fetch|axios|got|request|urllib|httpx|http\.get|http\.post)\s*\((?!.*(?:timeout|signal|AbortSignal|deadline|cancel))" matched in source_code: "fetch(" (at position 39800)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.
Tools
No tools exposed by this server.
Security Category Deep Dive
Sub-Category Tree · Remediation Roadmap · Attack Stories · Compliance Overlay · ATLAS Techniques · Maturity Model
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output