UCCO Foundation
Query the UCCO Foundation standard with structured, authoritative data about the UCCO classification system.
0/100
0Tools
18Findings
0Stars
—Downloads
Mar 24, 2026Last Scanned
Score Breakdown5 categories
Code45
Dependencies100
Config0
Description100
Behavior100
OWASP MCP Top 10 Coverage
MCP10-supply-chainMCP10-supply-chainFail
MCP02-tool-poisoningMCP02-tool-poisoningFail
MCP07-insecure-configMCP07-insecure-configFail
MCP08-dependency-vulnMCP08-dependency-vulnPass
MCP01-prompt-injectionMCP01-prompt-injectionFail
MCP03-command-injectionMCP03-command-injectionFail
MCP04-data-exfiltrationMCP04-data-exfiltrationFail
MCP09-logging-monitoringMCP09-logging-monitoringPass
MCP05-privilege-escalationMCP05-privilege-escalationFail
MCP06-excessive-permissionsMCP06-excessive-permissionsFail
Findings18
6critical
10high
1medium
1low
0informational
criticalG7DNS-Based Data Exfiltration ChannelMCP04-data-exfiltrationAML.T0040
Pattern "\.toString\s*\(\s*16\s*\).*\." matched in source_code: ".toString(16).padStart(2, "0"))." (at position 605)
Remove all dynamic DNS queries where subdomain content is derived from application data, user input, or system information. DNS exfiltration channels are invisible to most monitoring tools and operate even through strict HTTP firewalls.
If DNS-based service discovery is required, use a static list of known-good hostnames. Never construct DNS query hostnames by concatenating or encoding application data. Deploy DNS logging (e.g., passive DNS, BIND query logs) and alert on high-entropy subdomain queries.
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`Unknown tool: ${toolName}`" (at position 20824)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
criticalK8Cross-Boundary Credential SharingMCP05-privilege-escalationAML.T0054
Pattern "(return|respond|output|result).*(?:token|credential|api[_\s-]?key|secret|password|bearer)" matched in source_code: "return key && key === env.OPS_API_KEY" (at position 17618)
Never forward, share, or embed credentials across trust boundaries. Use OAuth token exchange (RFC 8693) to create scoped, delegated tokens instead of passing original credentials. Never include credentials in tool responses. Required by ISO 27001 A.5.17 and OWASP ASI03.
criticalJ1Cross-Agent Configuration PoisoningMCP05-privilege-escalationAML.T0054
Pattern "(\.claude[/\\]|claude[/\\]settings|claude.*config)" matched in source_code: "claude_desktop_config" (at position 25410)
MCP servers MUST NOT write to AI agent configuration directories. If configuration management is the server's purpose, require explicit user confirmation before any write and restrict paths to the server's own config namespace. CVE-2025-53773 demonstrated this enables full RCE across agent boundaries.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "MCP" (at position 53)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalQ11Code Suggestion Poisoning via MCPMCP01-prompt-injectionAML.T0054.001
Pattern "(?:suggest|generate|complete|insert).*(?:code|function|class|import|require)" matched in source_code: "INSERT INTO oauth_codes (code, client_id, redirect_uri, code_challenge, code" (at position 13030)
MCP tool outputs flowing into IDE code suggestion contexts must be sanitized. Implement output content policies that: (1) strip hidden Unicode characters (zero-width, RTL override, tag characters), (2) detect embedded instructions targeting AI code assistants, (3) validate code blocks against security patterns before they enter the suggestion pipeline, (4) never include shell commands in tool outputs without explicit [COMMAND] markers visible to the user. Reference: IDEsaster (Dec 2025), arXiv 2509.22040.
highK18Cross-Trust-Boundary Data Flow in Tool ResponseMCP04-data-exfiltrationAML.T0054
Pattern "(?:readFile|read_file|query|select|getSecret|getCredential|getPassword).*(?:webhook|http|fetch|axios|post|send|email|slack|discord)" matched in source_code: "queryable interface to the Universal Capability Certification Object (UCCO) open standard. The first standards body to make itself readable by AI agents via MCP.", homepage: "http" (at position 27347)
Implement data flow taint tracking: tag data from sensitive sources (databases, credentials, files) and prevent it from flowing to external sinks (HTTP, webhooks, email) without explicit sanitization/redaction. Apply data classification and enforce boundary controls per trust level. Required by ISO 27001 A.5.14 and CoSAI MCP-T5.
highK6Overly Broad OAuth ScopesMCP06-excessive-permissionsAML.T0054
Pattern "(?:openid|profile|email).*(?:admin|write:all|manage:all|delete)" matched in source_code: "email: "admin" (at position 27872)
Request the minimum OAuth scopes needed for functionality. Use read-only scopes when write access isn't required. Break broad scopes into specific, task-scoped permissions. Use short-lived, JIT (just-in-time) credentials. Required by ISO 27001 A.5.15 (least privilege), OWASP ASI03, and CoSAI MCP-T2.
highN1JSON-RPC Batch Request AbuseMCP07-insecure-configAML.T0054
Pattern "Array\.isArray\(\s*(body|request|message|data|payload)\s*\)(?!.*(?:length\s*[<>]|maxBatch|batch[_\s-]?limit|MAX_BATCH))" matched in source_code: "Array.isArray(body)" (at position 30569)
Enforce a maximum batch size for JSON-RPC requests (recommended: 20-25 requests per batch). Reject batches exceeding the limit with a -32600 (Invalid Request) error. Implement per-batch timeout and memory limits. Reference: JSON-RPC 2.0 Section 6 (Batch) does not mandate limits — servers MUST enforce them.
highO6Server Fingerprinting via Error ResponsesMCP04-data-exfiltrationAML.T0057
Pattern "(?:diagnostics?|debug|system_?info|server_?info|health_?detailed|status_?detail)\s*[:=]\s*\{[^}]*(?:version|os|arch|platform|uptime|memory|cpu|disk|hostname|pid)" matched in source_code: "serverInfo: { name: SERVER_NAME, version: SERVER_VERSION" (at position 20441)
Never expose process, OS, runtime, or database metadata in tool responses or error messages. Use generic error messages ("An error occurred") for production responses. Remove or disable debug/diagnostic endpoints. If health endpoints are needed, limit them to simple "ok"/"error" status without infrastructure details. Wrap all error handlers with a sanitization layer that strips system information.
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "DELETE") return handleOpsDeleteClient(request, env, path" (at position 29267)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.
highC15Timing Attack on Secret ComparisonMCP07-insecure-configAML.T0054
[AST pattern] String equality (===) on "key" at L328 — timing side-channel. Attackers can determine secret value byte-by-byte by measuring comparison time.
Use crypto.timingSafeEqual() or hmac.compare_digest() for secret comparison. Never use === on secrets.
highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054
[AST — J5] Catch block at L401 interpolates error variable "e" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.
Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
Pattern "\bfetch\s*\(\s*(?:req|request|input|param|params|args|url|uri|href|link|target|destination|endpoint|host|address|resource|src|source|location|proxy|callback|userUrl|user_url|externalUrl|external_url|redirectUrl|redirect_url)" matched in source_code: "fetch(req" (at position 26583)
Validate ALL user-supplied URLs before making HTTP requests:
1. Parse the URL and check the hostname against an explicit allowlist of permitted domains.
2. Block requests to RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
3. Block loopback (127.0.0.0/8), link-local (169.254.0.0/16), and IPv6 equivalents.
4. Block file:// and other non-http(s) protocols explicitly.
5. Disable automatic redirect following, or re-validate each redirect destination.
6. In cloud environments: block requests to IMDS endpoints (169.254.169.254,
metadata.google.internal) at both the application AND network layer.
Example (Node.js): Use the `ssrf-req-filter` package or implement URL validation
against an allowlist before calling fetch/axios/got.
highK13Unsanitized Tool OutputMCP02-tool-poisoningAML.T0054
Pattern "(?:query|execute|select|find).*(?:return|respond|result|rows|data)(?!.*(?:sanitize|escape|encode|map|filter|select|pick))" matched in source_code: "find((t) => t.name === toolName)) return" (at position 20758)
Sanitize all external data before including in tool responses. Implement output encoding that neutralizes prompt injection patterns. Truncate excessively long content. Validate structure before passing database results. Apply the principle: treat all external data as untrusted, even in tool outputs. Required by CoSAI MCP-T4.
highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "function\s+(\w+).*\{[^}]*\1\s*\((?!.*(?:depth|level|limit|max|count|recursi))" matched in source_code: "function handleTool(name, args, env) {
switch (" (at position 6972)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:fetch|axios|got|request|urllib|httpx|http\.get|http\.post)\s*\((?!.*(?:timeout|signal|AbortSignal|deadline|cancel))" matched in source_code: "fetch(" (at position 26583)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.
Security Category Deep Dive
Sub-Category Tree · Remediation Roadmap · Attack Stories · Compliance Overlay · ATLAS Techniques · Maturity Model
Prompt Injection
Prompt & context manipulation attacks
69
MATURITY
14
RULES
5
SUB-CATS
1
GAPS
64%
IMPL.
56
TESTS
1
STORIES
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
50%2 rules1 found
Injection via prompt templates and runtime tool output