TUI
Launches and interacts with terminal UI applications via managed pseudo-terminals.
0Tools
8Findings
1Stars
Mar 22, 2026Last Scanned
3 critical · 3 high · 1 medium · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings8
3critical
3high
1medium
1low
Critical3
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 9082)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalK9Dangerous Post-Install HooksMCP10-supply-chainAML.T0054
Pattern "["'](?:postinstall|preinstall)["']\s*:\s*["'][^"']*(?:http|ftp|ssh|exec|spawn|child_process)" matched in source_code: ""postinstall": "chmod +x node_modules/node-pty/prebuilds/*/spawn" (at position 8825)
Remove network requests, code execution, and shell commands from install hooks. Post-install scripts should only run build/compile steps (node-gyp, tsc). Use --ignore-scripts flag during CI installations and audit all install hooks before allowing. Required by OWASP ASI04 and CoSAI MCP-T11.
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "execSync\s*\(" matched in source_code: "execSync(" (at position 366)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
High3
highQ12Cross-Jurisdiction Data Routing via MCPMCP04-data-exfiltrationT1020
Pattern "(?:endpoint|server|backend|api).*(?:us-east|eu-west|ap-southeast|cn-north|region)" matched in source_code: "server.registerTool('read_region" (at position 3601)
MCP servers that handle personal or sensitive data must: (1) declare the geographic regions where data is processed in tool descriptions, (2) never route data to third-country backends without GDPR adequacy decisions or Standard Contractual Clauses, (3) log all cross-border data transfers with source/destination jurisdiction for audit, (4) implement data residency enforcement that rejects requests violating localization requirements. Reference: EU AI Act Art. 12, GDPR Art. 44-49.
highO8Timing-Based Covert ChannelMCP04-data-exfiltrationAML.T0057
Pattern "(?:delay|sleep|timeout|interval)\s*[:=]\s*(?:[^;]*(?:secret|token|password|credential|key|env))" matched in source_code: "timeout: z.number().optional().describe('Timeout in milliseconds (default: 5000)'),
},
}, async ({ sessionId, pattern, timeout }) => {
try {
await session.waitForText(sessionId, pattern, timeout)
return { content: [{ type: 'text', text: `found: ${pattern}` }] }
} catch (e) {
return { content: [{ type: 'text', text: e.message }], isError: true }
}
})
server.registerTool('wait_for_idle', {
title: 'Wait For Idle',
description: 'Wait until the terminal buffer stops changing. Useful after sending key" (at position 7368)
Remove all code that calculates sleep/delay durations from application data, secrets, or any variable-length content. Tool response times should be constant or determined only by legitimate processing time. If rate limiting is needed, use fixed intervals not derived from data values. Monitor for anomalous response time patterns that could indicate timing-based exfiltration.
highK11Missing Server Integrity VerificationMCP10-supply-chainAML.T0054
Pattern "(connect|load|register|add)[_\s-]?(mcp|server|tool)(?!.*(?:verify|validate|checksum|hash|sign|cert|fingerprint|pin))" matched in source_code: "registerTool" (at position 823)
Implement cryptographic verification for MCP server connections: (1) Pin server TLS certificates or public keys, (2) Verify server tool definition checksums against a known-good manifest, (3) Use package manager integrity checks (npm integrity, pip --require-hashes). The MCP spec recommends but doesn't yet mandate server signing — implement it proactively. Required by ISO 27001 A.8.24 and CoSAI MCP-T6.
Medium1
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:exec|execSync|spawn|subprocess\.run|os\.system)\s*\((?!.*(?:timeout|kill|maxBuffer|signal))" matched in source_code: "execSync(" (at position 366)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.