From ai-security-skills
Audits MCP servers for security risks: transport/auth flaws, overpermissioned tools, injections, data exposure, sandboxing gaps, supply chain issues. Use for source code reviews or third-party evaluations.
npx claudepluginhub cmaenner/agent-security-playbookThis skill uses the workspace's default tool permissions.
Audit an MCP server by following the full procedure in `plays/tier4-ai-security/mcp-server-review.md`.
Evaluates MCP servers from GitHub, npm, PyPI, or repo URLs for safety, functionality, legal compliance, and user fit before installation.
Audits MCP tool handlers and schemas for vulnerabilities like shell injection, arbitrary file access, hardcoded secrets, and unconstrained inputs. Use when defining MCP servers or Claude Code extensions with FS/shell/network access.
Evaluates MCP servers from GitHub repos for security vulnerabilities, privacy risks, code quality, community feedback, and reliability with risk scoring and recommendations. Activate on safety queries or assessments.
Share bugs, ideas, or general feedback.
Audit an MCP server by following the full procedure in plays/tier4-ai-security/mcp-server-review.md.
Transport & Authentication — Check transport type (stdio vs HTTP/SSE), authentication on network transports, TLS enforcement, CORS policy, origin validation.
Tool Permission Audit — For each exposed tool: document what it claims to do vs what it actually does (read source). Classify as READ-ONLY, MUTATION, DESTRUCTIVE, NETWORK, or CREDENTIAL-ACCESS. Flag tools with broader capabilities than descriptions suggest, free-form inputs, or credential access.
Input Validation & Injection — For each tool parameter: check for command injection (shell interpolation), path traversal (../ in file paths), SQL injection (unparameterized queries), SSRF (user-supplied URLs hitting internal services), and template injection.
Data Exposure — Assess MCP resources for secrets/PII leakage, tool outputs for excessive data, error messages for internal paths/stack traces, and logging for sensitive data capture.
Scope & Sandboxing — Check file system restrictions, network scope (can it reach cloud metadata 169.254.169.254?), process permissions, resource limits, and dependency surface.
Supply Chain — Verify source trustworthiness, run SCA on dependencies, check for lockfiles and reproducible builds, assess update mechanism.
Client Configuration — Review MCP client config for absolute/specific server paths, minimized env var passthrough, and command injection safety in args.
Server overview, tool risk matrix, findings using templates/finding.md, and specific configuration recommendations.