MCP Security Scanner
Scans Model Context Protocol server tool schemas for injection surfaces, privilege boundary gaps, authentication weaknesses, and tool-chain attack paths. Maps findings to OWASP Agentic AI T-codes and feeds the Exploitability (E) variable in your TIVM assessment.
MCP server target
Four scan modules
Are tool descriptions injection vectors?
Tool descriptions and parameter schemas are read by the LLM as part of tool selection. If a description contains instruction-like language, an attacker who controls a tool name or description can inject into the model's reasoning. Each tool schema is analysed for embedded instructions, override phrases, and authority claims. Maps to OWASP T3 Prompt Injection
Can tools access more than they should?
Each tool's declared parameter scope is compared against likely data access patterns. Tools with write access, external network calls, or cross-system effects that lack explicit scope constraints are flagged. Identifies confused deputy paths before they are exploited. Maps to OWASP T1 Privilege Escalation
What can be achieved by combining tools?
Individually safe tools can be combined to achieve outcomes neither was designed for. The scanner maps tool combinations and flags paths where chaining two or more tools produces a high-impact action — data exfiltration, privilege escalation, or recursive consumption. Maps to OWASP T7 Unsafe Actuation
Are tool invocations authenticated?
MCP tools that do not require caller authentication, do not validate the calling agent's identity, or do not enforce scope-bounded tokens are vulnerable to impersonation and confused deputy attacks. Maps to OWASP T9 Credential Theft