mkdocs-mcp-plugin
Mkdocs + MCP to enhance context retrieval using repo docs
0Tools
10Findings
10Stars
Mar 22, 2026Last Scanned
3 critical · 4 high · 2 medium · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings10
3critical
4high
2medium
1low
Critical3
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "fastmcp" (at position 282)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalQ11Code Suggestion Poisoning via MCPMCP01-prompt-injectionAML.T0054.001
Pattern "(?:suggest|generate|complete|insert).*(?:code|function|class|import|require)" matched in source_code: "Generate dense embeddings using SentenceTransformerEmbeddingFunction" (at position 8512)
MCP tool outputs flowing into IDE code suggestion contexts must be sanitized. Implement output content policies that: (1) strip hidden Unicode characters (zero-width, RTL override, tag characters), (2) detect embedded instructions targeting AI code assistants, (3) validate code blocks against security patterns before they enter the suggestion pipeline, (4) never include shell commands in tool outputs without explicit [COMMAND] markers visible to the user. Reference: IDEsaster (Dec 2025), arXiv 2509.22040.
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`python
# Hybrid search for comprehensive results
results = search(
query="{topic}",
search_type="hybrid",
max_results=10
)
# For more specific keyword matches
keyword_results = keyword_search(
query="{topic}",
max_results=5
)
# For semantic understanding
vector_results = vector_search(
query="{topic}",
max_results=5
)
`" (at position 31126)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
High4
highO8Timing-Based Covert ChannelMCP04-data-exfiltrationAML.T0057
Pattern "(?:delay|sleep|timeout|interval)\s*[:=]\s*(?:[^;]*(?:secret|token|password|credential|key|env))" matched in source_code: "timeout=5)
print("MkDocs server stopped gracefully.", file=sys.stderr)
except subprocess.TimeoutExpired:
# Force kill if it doesn't terminate
print("MkDocs server did not stop gracefully, forcing shutdown...", file=sys.stderr)
_mkdocs_process.kill()
_mkdocs_process.wait(timeout=2)
print("MkDocs server forcefully stopped.", file=sys.stderr)
except Exception as e:
print(f"Error stopping MkDocs server: {e}", file=sys.stderr)
# Try to kill the process if it still exists
try:
if _mkdocs_process.poll() is None:
_mkdocs_process.kill()
except:
pass
finally:
_mkdocs_process = None
# Also ensure the thread is properly joined
if _mkdocs_thread and _mkdocs_thread.is_alive():
try:
_mkdocs_thread.join(timeout=1)
except:
pass
finally:
_mkdocs_thread = None
def initialize_mkdocs_integration():
"""Initialize MkDocs integration by finding config and starting server."""
global _mkdocs_config, _project_root, _mkdocs_thread
# Find MkDocs config
config_path = find_mkdocs_config()
if not config_path:
print(
"Warning: No mkdocs.yml found. MkDocs serve will not be started.",
file=sys.stderr,
)
print("The MCP server will run in standalone mode.", file=sys.stderr)
return False
print(f"Found MkDocs config at: {config_path}", file=sys.stderr)
_project_root = config_path.parent
# Load config
_mkdocs_config = load_mkdocs_config(config_path)
site_name = _mkdocs_config.get("site_name", "MkDocs")
print(f"Loaded MkDocs project: {site_name}", file=sys.stderr)
# Check if MkDocs is installed
try:
result = subprocess.run(
["mkdocs", "--version"], capture_output=True, text=True, timeout=5
)
if result.returncode == 0:
print(f"MkDocs version: {result.stdout.strip()}", file=sys.stderr)
else:
print(
"Warning: MkDocs command failed. Server will not be started.",
file=sys.stderr,
)
return False
except (subprocess.TimeoutExpired, FileNotFoundError) as e:
print(f"Warning: MkDocs not found or not responding: {e}", file=sys.stderr)
print("Install MkDocs with: pip install mkdocs", file=sys.stderr)
return False
# Start MkDocs serve
port = int(os.getenv("MKDOCS_PORT", "8000"))
_mkdocs_thread = start_mkdocs_serve(_project_root, port)
# Wait a moment for server to start
time.sleep(2)
print("\n" + "=" * 60, file=sys.stderr)
print("MkDocs RAG Server initialized successfully!", file=sys.stderr)
print(f" - MkDocs site: http://localhost:{port}", file=sys.stderr)
print(f" - Project root: {_project_root}", file=sys.stderr)
print(f" - Docs directory: {_project_root / 'docs'}", file=sys.stderr)
print("=" * 60 + "\n", file=sys.stderr)
return True
@mcp.tool
def get_mkdocs_info() -> dict[str, Any]:
"""
Get information about the current MkDocs project.
Returns:
Information about the MkDocs configuration and server status
"""
global _mkdocs_config, _project_root, _mkdocs_process
if not _mkdocs_config:
return {"success": False, "error": "No MkDocs project loaded"}
server_running = _mkdocs_process is not None and _mkdocs_process.poll() is None
port = int(os.getenv("MKDOCS_PORT", "8000"))
return {
"success": True,
"project_root": str(_project_root),
"config_path": str(_project_root / "mkdocs.yml"),
"docs_dir": str(_project_root / _mkdocs_config.get("docs_dir", "docs")),
"site_name": _mkdocs_config.get("site_name", "MkDocs"),
"site_url": _mkdocs_config.get("site_url", ""),
"theme": _mkdocs_config.get("theme", {}),
"plugins": list(_mkdocs_config.get("plugins", [])),
"server_running": server_running,
"server_url": f"http://localhost:{port}" if server_running else None,
}
@mcp.tool
def restart_mkdocs_server(port: int | None = None) -> dict[str, Any]:
"""
Restart the MkDocs development server.
Args:
port: Port to run the server on (default: 8000 or MKDOCS_PORT env var)
Returns:
Status of the restart operation
"""
global _mkdocs_thread, _project_root
if not _project_root:
return {"success": False, "error": "No MkDocs project loaded"}
# Stop existing server
stop_mkdocs_serve()
# Start new server
if port is None:
port = int(os.getenv("MKDOCS_PORT", "8000"))
_mkdocs_thread = start_mkdocs_serve(_project_root, port)
time.sleep(2) # Wait for server to start
return {
"success": True,
"message": f"MkDocs server restarted on port {port}",
"server_url": f"http://localhost:{port}",
}
# Cleanup function
def cleanup():
"""Clean up resources on exit."""
global _searcher, _mkdocs_process
print("\nShutting down MkDocs RAG Server...", file=sys.stderr)
# Stop MkDocs server
stop_mkdocs_serve()
# Clean up search index and Milvus connection
if _searcher:
try:
# Close Milvus connection if it exists
if hasattr(_searcher, 'milvus_connected') and _searcher.milvus_connected:
try:
if _searcher.collection:
_searcher.collection.release()
connections.disconnect("default")
print("Milvus connection closed.", file=sys.stderr)
except Exception as e:
print(f"Error closing Milvus connection: {e}", file=sys.stderr)
# Clean up temporary files
_searcher.cleanup()
print("Search index cleaned up.", file=sys.stderr)
except Exception as e:
print(f"Error during searcher cleanup: {e}", file=sys.stderr)
finally:
_searcher = None
# Final check to ensure MkDocs process is terminated
if _mkdocs_process:
try:
if _mkdocs_process.poll() is None:
_mkdocs_process.kill()
print("Ensured MkDocs process termination.", file=sys.stderr)
except:
pass
print("Cleanup complete.", file=sys.stderr)
# Register cleanup
atexit.register(cleanup)
# Handle signals for graceful shutdown
def signal_handler(signum, frame):
"""Handle shutdown signals gracefully."""
print(f"\nReceived signal {signum}, initiating graceful shutdown...", file=sys.stderr)
cleanup()
sys.exit(0)
# Register signal handlers for graceful shutdown
signal.signal(signal.SIGINT, signal_handler) # Ctrl+C
signal.signal(signal.SIGTERM, signal_handler) # Termination signal
# On Windows, also handle SIGBREAK
if hasattr(signal, 'SIGBREAK'):
signal.signal(signal.SIGBREAK, signal_handler)
def main():
"""Main entry point for the MCP server."""
try:
# Initialize MkDocs integration
mkdocs_initialized = initialize_mkdocs_integration()
# Adjust default docs_dir based on project
if _project_root and _mkdocs_config:
docs_dir = _mkdocs_config.get("docs_dir", "docs")
# Update the default docs_dir for all tools
default_docs_dir = str(_project_root / docs_dir)
# Monkey-patch the default parameter for tools
# This ensures tools use the correct docs directory
import inspect
for name, func in inspect.getmembers(sys.modules[__name__]):
if hasattr(func, "__mcp_tool__"):
sig = inspect.signature(func)
params = sig.parameters
if "docs_dir" in params:
# Update default value
new_params = []
for param_name, param in params.items():
if param_name == "docs_dir":
new_param = param.replace(default=default_docs_dir)
new_params.append(new_param)
else:
new_params.append(param)
func.__signature__ = sig.replace(parameters=new_params)
# Run the MCP server
mcp.run()
except KeyboardInterrupt:
print("\nReceived key" (at position 34743)
Remove all code that calculates sleep/delay durations from application data, secrets, or any variable-length content. Tool response times should be constant or determined only by legitimate processing time. If rate limiting is needed, use fixed intervals not derived from data values. Monitor for anomalous response time patterns that could indicate timing-based exfiltration.
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "read_document_impl(file_path" (at position 18694)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "fastmcp@2.11.1" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highK13Unsanitized Tool OutputMCP02-tool-poisoningAML.T0054
Pattern "(?:query|execute|select|find).*(?:return|respond|result|rows|data)(?!.*(?:sanitize|escape|encode|map|filter|select|pick))" matched in source_code: "query: str, max_result" (at position 12342)
Sanitize all external data before including in tool responses. Implement output encoding that neutralizes prompt injection patterns. Truncate excessively long content. Validate structure before passing database results. Apply the principle: treat all external data as untrusted, even in tool outputs. Required by CoSAI MCP-T4.
Medium2
mediumK20Insufficient Audit Context in LoggingMCP09-logging-monitoringAML.T0054
Pattern "print\s*\(.*(?:request|handle|process|tool|invoke|execute)" matched in source_code: "print("Ensured MkDocs process" (at position 41147)
Use structured logging that includes all five ISO 27001 A.8.15 fields: (1) WHO — agent/user identity, (2) WHAT — tool name and operation, (3) WHEN — ISO 8601 timestamp, (4) WHERE — server ID and correlation ID, (5) OUTCOME — success/failure and result summary. Replace console.log with structured loggers (pino, winston). Add correlation IDs for request tracing across multi-agent chains.
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:exec|execSync|spawn|subprocess\.run|os\.system)\s*\((?!.*(?:timeout|kill|maxBuffer|signal))" matched in source_code: "subprocess.run(" (at position 36685)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.