AionUi
Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | ๐ Star if you like it!
0Tools
11Findings
19.9kStars
โDownloads
Mar 22, 2026Last Scanned
Findings11
3critical
5high
1medium
2low
0informational
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 26587)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets โ CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalQ9Agentic Workflow DAG ManipulationMCP05-privilege-escalationAML.T0058
Pattern "(?:bypass|skip|disable).*(?:approval|validation|safety|check|gate|guard)" matched in source_code: "disabled via env/CI guard" (at position 11196)
MCP tools must NOT modify agentic workflow graphs, execution order, or routing during runtime. Workflow structure should be immutable once execution begins. If dynamic workflow modification is required, implement: (1) approval gates that require human confirmation before graph mutations, (2) integrity checks that validate the workflow graph against a known-good baseline after each step, (3) audit logging of all graph modifications with rollback capability. Reference: arXiv 2602.19555, Trend Micro subgraph impersonation attack (2026).
criticalK9Dangerous Post-Install HooksMCP10-supply-chainAML.T0054
Pattern "["'](?:postinstall|preinstall|install)["']\s*:\s*["'][^"']*(?:curl|wget|node\s|python|bash|sh\s|powershell)" matched in source_code: ""postinstall": "node " (at position 25889)
Remove network requests, code execution, and shell commands from install hooks. Post-install scripts should only run build/compile steps (node-gyp, tsc). Use --ignore-scripts flag during CI installations and audit all install hooks before allowing. Required by OWASP ASI04 and CoSAI MCP-T11.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
Pattern "new\s+URL\s*\(\s*(?:req|request|input|param|params|args|url|uri|href|link|target|destination|endpoint|host|address|resource|src|source)" matched in source_code: "new URL(req" (at position 13934)
Validate ALL user-supplied URLs before making HTTP requests:
1. Parse the URL and check the hostname against an explicit allowlist of permitted domains.
2. Block requests to RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
3. Block loopback (127.0.0.0/8), link-local (169.254.0.0/16), and IPv6 equivalents.
4. Block file:// and other non-http(s) protocols explicitly.
5. Disable automatic redirect following, or re-validate each redirect destination.
6. In cloud environments: block requests to IMDS endpoints (169.254.169.254,
metadata.google.internal) at both the application AND network layer.
Example (Node.js): Use the `ssrf-req-filter` package or implement URL validation
against an allowlist before calling fetch/axios/got.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "@modelcontextprotocol/sdk@1.20.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highK1Absent Structured LoggingMCP09-logging-monitoringAML.T0054
Pattern "console\.(log|warn|error)\s*\(.*(?:tool|request|handler|execute|invoke)" matched in source_code: "console.warn(`[aion-asset] File not found: ${request" (at position 14267)
Implement structured logging (pino, winston, or equivalent) for all tool call handlers. Every tool invocation should log: timestamp, tool name, caller identity, parameters (sanitized), result status, and duration. Required by ISO 27001 A.8.15, CoSAI MCP-T12, and NIST AI RMF MEASURE 2.6.
highN2JSON-RPC Notification FloodingMCP07-insecure-configAML.T0054
Pattern "(?:sendNotification|send_notification|notify|emit)\s*\((?!.*(?:queue|throttle|rateLimit|backpressure|bounded))" matched in source_code: "Notify(" (at position 10993)
Implement bounded notification queues (recommended max size: 100 per subscription). Apply backpressure โ when the queue is full, drop oldest notifications or pause the producer. Enforce per-client notification rate limits. JSON-RPC notifications have no response, so there is no natural flow control โ servers MUST implement it explicitly.
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "reading nvm directory" (at position 4734)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources โ other MCP servers may be operating concurrently.
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:fetch|axios|got|request|urllib|httpx|http\.get|http\.post)\s*\((?!.*(?:timeout|signal|AbortSignal|deadline|cancel))" matched in source_code: "fetch(" (at position 14364)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.
lowD4Excessive Dependency CountMCP08-dependency-vuln
Server has 124 dependencies (threshold: 50)
Reduce the number of direct dependencies. Each dependency increases the attack surface. Consider whether lighter alternatives exist.
Tools
No tools exposed by this server.
Security Category Deep Dive
Sub-Category Tree ยท Remediation Roadmap ยท Attack Stories ยท Compliance Overlay ยท ATLAS Techniques ยท Maturity Model
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output