aws-security-mcp security findings

Tool Poisoning

1 findingMCP02ASI02CoSAI-T4CoSAI-T6CoSAI-T9MAESTRO-L3MAESTRO-L7EU-AI-Act-Art-13AML.T0058#

Deceptive Naming

1 finding

Official Namespace Squatting

CriticalMCP02-tool-poisoningAML.T0054

Server published as '@anthropic-tools/filesystem' by an unverified author not in the anthropics GitHub org

1Compare the observed server name "aws-security-mcp" against the vendor namespace "aws" (AWS). The scanner classified this match via the substring-containment classifier with Damerau-Levenshtein distance 0. If the server is an official AWS product, add its GitHub organisation to OFFICIAL_NAMESPACES.verified_github_orgs in the rule's data file.initialize.server_nameExpect: Server name "aws-security-mcp" directly contains the vendor token "aws".
2Open the server's repository at https://github.com/groovybugify/aws-security-mcp and confirm the owning organisation is NOT one of the vendor's verified orgs. The vendor registers the following orgs as authoritative: github.com/aws/…, github.com/awslabs/…, github.com/amazon-archives/…. A match against any of these suppresses the finding.initialize.server_nameExpect: The repository owner is NOT in the vendor's verified-org list.
3Open the MCP registry page for "aws-security-mcp" (Smithery, PulseMCP, or modelcontextprotocol.io/registry). Cross-reference the stated publisher identity against AWS's official publications. A recently published server with low install count and no vendor affiliation is the canonical squat pattern.initialize.server_nameExpect: Registry publisher identity does not match AWS; the server is an impersonator.

sourceexternal-content

initialize.server_name

Server name "aws-security-mcp" matches AWS namespace "aws" via substring containment.

The MCP client surfaces the server name verbatim in its approval dialog, and the LLM ingests the server name alongside the tool descriptions. A name that implies official AWS origin hijacks the trust users and agents extend to the real vendor — the exact supply-chain vector Alex Birsan demonstrated in 2021 and Wiz Research documented in the MCP ecosystem in 2025.

propagationcross-tool-flow

capability:tools

Publisher URL "https://github.com/groovybugify/aws-security-mcp" is NOT under any of AWS's verified GitHub organisations (aws, awslabs, amazon-archives). The server name + publisher mismatch propagates misplaced trust to every downstream tool invocation.

sinkprivilege-grant

initialize.server_name

Users approve the server on the basis of the vendor-branded name, granting it the session-scoped trust they would extend to a genuine AWS product. All subsequent tool calls execute under that elevated trust.

impactcross-agent-propagation

ai-client

User installs "aws-security-mcp" believing it is an official AWS MCP server. The LLM consumes the impersonator's tool descriptions, instructions, and output under the vendor's brand halo. Subsequent prompt injection, credential harvesting, or data exfiltration by the impersonator inherits the vendor's trust across every conversation that uses the tool.

trivial

Test 102 more rules — give us more context2 input gaps

Live connection3 rules

To unlock these tests: register a live MCP endpoint.

E1No Authentication RequiredCode VulnerabilitiesServer-Hardening Failures
E2Insecure TransportAuthentication & IdentitySession & Transport Security
E3Response Time AnomalyAudit & LoggingAbsent or Unstructured Logging

Source code99 rules

To unlock these tests: publish your source on GitHub.

C1Command InjectionCode VulnerabilitiesCommand & Shell Execution
C10Prototype PollutionCode VulnerabilitiesData Store Injection
C11ReDoS — Catastrophic Regex BacktrackingCode VulnerabilitiesServer-Hardening Failures
C12Unsafe DeserializationCode VulnerabilitiesDynamic Code Evaluation & Deserialization
C13Server-Side Template Injection (SSTI)Code VulnerabilitiesDynamic Code Evaluation & Deserialization
C14JWT Algorithm Confusion / None Algorithm AttackCode VulnerabilitiesInsecure Credential & Crypto
C15Timing Attack on Secret or Token ComparisonCode VulnerabilitiesInsecure Credential & Crypto
C16Dynamic Code Evaluation with User InputCode VulnerabilitiesCommand & Shell Execution
C2Path TraversalCode VulnerabilitiesFilesystem & Network Traversal
C3Server-Side Request Forgery (SSRF)Code VulnerabilitiesFilesystem & Network Traversal
C4SQL InjectionCode VulnerabilitiesData Store Injection
C5Hardcoded Secrets in Source CodeCode VulnerabilitiesInsecure Credential & Crypto
C6Error Message Information LeakageCode VulnerabilitiesServer-Hardening Failures
C7Wildcard CORS ConfigurationCode VulnerabilitiesServer-Hardening Failures
C8No Authentication on Network-Exposed ServerCode VulnerabilitiesServer-Hardening Failures
C9Excessive Filesystem ScopeCode VulnerabilitiesCommand & Shell Execution
G7DNS-Based Data Exfiltration ChannelData ExfiltrationExplicit Network Exfiltration
H1MCP OAuth 2.0 Insecure ImplementationAuthentication & IdentityOAuth Misimplementation
I12Capability Escalation Post-InitializationHuman OversightPost-Init Capability Escalation
I15Transport Session SecurityAuthentication & IdentitySession & Transport Security
J1Cross-Agent Configuration PoisoningSupply Chain SecurityConfig Injection & Bridge Supply Chain
J2Git Argument InjectionCode VulnerabilitiesCommand & Shell Execution
J4Health Endpoint Information DisclosureModel ManipulationInformation Disclosure Via Debug Surface
J5Tool Output Poisoning PatternsPrompt InjectionIndirect Gateway Injection
J7OpenAPI Specification Field InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
K1Absent Structured LoggingAudit & LoggingAbsent or Unstructured Logging
K10Package Registry SubstitutionTool PoisoningUpdate-Channel Spoofing
K11Missing Server Integrity VerificationSupply Chain SecurityKnown Vulnerable Dependencies
K12Executable Content in Tool ResponseTool PoisoningAnnotation Deception
K13Unsanitized Tool OutputTool PoisoningAnnotation Deception
K14Agent Credential Propagation via Shared StateAuthentication & IdentityCross-Boundary Credential Sharing
K16Unbounded Recursion / Missing Depth LimitsProtocol & TransportJSON-RPC Batching & Flooding
K17Missing Timeout or Circuit BreakerDenial of ServiceRecursion & Loop Bombs
K18Cross-Trust-Boundary Data Flow in Tool ResponseData ExfiltrationSource-to-Sink Flow
K19Missing Runtime Sandbox EnforcementDenial of ServiceTimeout & Circuit-Breaker Gaps
K2Audit Trail DestructionAudit & LoggingLog Destruction
K20Insufficient Audit Context in LoggingAudit & LoggingInsufficient Audit Context
K3Audit Log TamperingAudit & LoggingLog Destruction
K5Auto-Approve / Bypass Confirmation PatternHuman OversightAuto-Approve & Bypass
K6Overly Broad OAuth ScopesAuthentication & IdentityOAuth Misimplementation
K7Long-Lived Tokens Without RotationAuthentication & IdentityOAuth Misimplementation
K8Cross-Boundary Credential SharingData ExfiltrationTrust-Boundary Data Flow
K9Dangerous Post-Install HooksSupply Chain SecurityInstall-Time Execution
L1GitHub Actions Tag PoisoningSupply Chain SecurityCI/CD Poisoning
L10Registry Metadata SpoofingTool PoisoningUpdate-Channel Spoofing
L11Environment Variable Injection via MCP ConfigSupply Chain SecurityConfig Injection & Bridge Supply Chain
L12Build Artifact TamperingCode VulnerabilitiesOpenAPI / Spec Field Injection
L13Build Credential File TheftSupply Chain SecurityCI/CD Poisoning
L14Hidden Entry Point MismatchSupply Chain SecurityManifest & Entry-Point Confusion
L15Update Notification SpoofingTool PoisoningBehavior Drift
L2Malicious Build Plugin InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
L3Dockerfile Base Image Supply Chain RiskSupply Chain SecurityRegistry & Distribution Substitution
L4MCP Config File Code InjectionSupply Chain SecurityManifest & Entry-Point Confusion
L5Package Manifest Confusion IndicatorsSupply Chain SecurityManifest & Entry-Point Confusion
L6Config Directory Symlink AttackSupply Chain SecurityRegistry & Distribution Substitution
L7Transitive MCP Server DelegationSupply Chain SecurityManifest & Entry-Point Confusion
L8Version Rollback / Downgrade AttackSupply Chain SecurityRegistry & Distribution Substitution
L9CI/CD Secret Exfiltration PatternsSupply Chain SecurityCI/CD Poisoning
M2TokenBreak Boundary ManipulationModel ManipulationTokenizer Boundary Attacks
M6Progressive Context Poisoning EnablersHuman OversightTool-Position & Progressive Poisoning
M7Tool Response Structure BombDenial of ServiceResponse Payload Amplification
M8Inference Cost AmplificationDenial of ServiceInference Cost Amplification
M9Model-Specific System Prompt ExtractionModel ManipulationReasoning Extraction
N1JSON-RPC Batch Request AbuseProtocol & TransportJSON-RPC Batching & Flooding
N10Incomplete Handshake Denial of ServiceProtocol & TransportJSON-RPC Batching & Flooding
N11Protocol Version Downgrade AttackProtocol & TransportProtocol Version & Method Confusion
N12Resource Subscription Content MutationPrompt InjectionIndirect Gateway Injection
N13HTTP Chunked Transfer SmugglingProtocol & TransportStreaming & Session Hijacking
N14Trust-On-First-Use Bypass (TOFU)Authentication & IdentitySession & Transport Security
N15JSON-RPC Method Name ConfusionProtocol & TransportProtocol Version & Method Confusion
N2JSON-RPC Notification FloodingProtocol & TransportJSON-RPC Batching & Flooding
N3JSON-RPC Request ID CollisionProtocol & TransportJSON-RPC Batching & Flooding
N4JSON-RPC Error Object InjectionPrompt InjectionProtocol-Surface Injection
N5Capability Downgrade DeceptionProtocol & TransportProtocol Version & Method Confusion
N6SSE Reconnection HijackingProtocol & TransportStreaming & Session Hijacking
N7Progress Token Prediction and InjectionProtocol & TransportStreaming & Session Hijacking
N8Cancellation Race ConditionProtocol & TransportJSON-RPC Batching & Flooding
N9MCP Logging Protocol InjectionPrompt InjectionContext & Trust Manipulation
O10Privacy-Violating TelemetryData ExfiltrationCovert Channels
O4Clipboard and UI Exfiltration InjectionData ExfiltrationTrust-Boundary Data Flow
O5Environment Variable HarvestingData ExfiltrationCovert Channels
O6Server Fingerprinting via Error ResponsesData ExfiltrationCovert Channels
O8Timing-Based Covert ChannelData ExfiltrationCovert Channels
O9Ambient Credential ExploitationData ExfiltrationCovert Channels
P1Docker Socket Mount in ContainerContainer & RuntimeContainer Escape Vectors
P10Host Network Mode and Missing Egress ControlsContainer & RuntimeHost Mount & Network
P2Dangerous Container CapabilitiesContainer & RuntimeContainer Escape Vectors
P3Cloud Metadata Service AccessContainer & RuntimeCloud Metadata Access
P4TLS Certificate Validation BypassContainer & RuntimeTLS & Crypto Misconfig
P5Secrets Exposed in Container Build LayersSupply Chain SecurityRegistry & Distribution Substitution
P6LD_PRELOAD and Shared Library HijackingContainer & RuntimeContainer Escape Vectors
P7Sensitive Host Filesystem MountContainer & RuntimeHost Mount & Network
P8Insecure Cryptographic Mode or Static IV/NonceContainer & RuntimeTLS & Crypto Misconfig
P9Missing Container Resource LimitsDenial of ServiceContainer Resource Exhaustion
Q13MCP Bridge Package Supply Chain AttackSupply Chain SecurityConfig Injection & Bridge Supply Chain
Q15A2A/MCP Protocol Boundary ConfusionHuman OversightTrust-Delegation Confusion
Q3Localhost MCP Service HijackingProtocol & TransportLocalhost & Concurrency Hijack
Q4IDE MCP Configuration InjectionSupply Chain SecurityConfig Injection & Bridge Supply Chain
Q7Desktop Extension Privilege ChainContainer & RuntimePrivileged Roots & Extensions

Tested cleanly

Prompt Injection24 rules tested cleanly
Code Vulnerabilities23 rules tested cleanly
Data Exfiltration15 rules tested cleanly
Authentication & Identity9 rules tested cleanly
Supply Chain Security23 rules tested cleanly
Human Oversight6 rules tested cleanly
Audit & Logging5 rules tested cleanly
Multi-Agent Security1 rule tested cleanly
Protocol & Transport15 rules tested cleanly
Denial of Service7 rules tested cleanly
Container & Runtime10 rules tested cleanly
Model Manipulation8 rules tested cleanly