Skill

mcp-security

Audits MCP tool handlers and schemas for vulnerabilities like shell injection, arbitrary file access, hardcoded secrets, and unconstrained inputs. Use when defining MCP servers or Claude Code extensions with FS/shell/network access.

Python

Anthropic

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Prevents MCP tool handlers from being exploited via malicious inputs, hardcoded secrets,

SKILL.md

Similar Skills

mcp-security-audit

29.8k

Audits .mcp.json MCP server configurations for security issues like hardcoded secrets, shell injection patterns, unpinned versions, unapproved servers, and env var usage.

awesome-copilot-refactor

Model Context Protocol (MCP) Skill

Implements secure Model Context Protocol (MCP) servers and clients for AI tool integration, including tool registration, transport layers (stdio, HTTP, WebSocket), and security hardening with TDD.

2 files

martinholovsky-claude-skills-generator

Mcp Security

Provides security patterns for MCP servers including OAuth 2.0, rate limiting, input validation, and audit logging. Activates on MCP security, authentication, OAuth mentions.

3 files

omer-metin-skills-for-antigravity-2

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

MCP Server Security (OWASP LLM07:2025)

What this checks

Prevents MCP tool handlers from being exploited via malicious inputs, hardcoded secrets, unrestricted file access, or shell injection. A compromised MCP server gives attackers direct access to the host environment.

Vulnerable patterns

open(inputs["path"]) — arbitrary file read from tool parameter with no allowlist
subprocess.run(inputs["cmd"], shell=True) — shell injection from tool input
api_key = "sk-abc123..." — hardcoded secret in handler or tool definition
Schema {"type": "string"} with no maxLength, pattern, or enum — unconstrained input

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Tool schemas constrain every string parameter — maxLength, pattern, enum, or additionalProperties: false. A bare "type": "string" is a blank check. The schema is the first line of defense because the model generated the input.
Paths are canonicalized and confined to an allowed root. The handler resolves the supplied filename against a fixed base directory and verifies the result stays inside that directory — defeating ../, symlink escape, and absolute paths.
Shell execution uses argument lists, never shell=True with string input. If the tool must run a command, the command name comes from a static allowlist and arguments go through argv, not string interpolation.
Secrets come from the environment or a secrets manager — never hardcoded literals in the handler or tool definition. A leaked MCP server config shouldn't leak credentials.
Every invocation is audit-logged with the tool name and sanitized inputs before the side-effect runs. For broader MCP tool design guidance, see the insecure-plugin-design skill.

Anchor — shape, not implementation:

schema: { filename: { type: string, maxLength: 128, pattern: "^[\\w-]+\\.(txt|csv)$" } }
API_KEY = load_from_env("SERVICE_API_KEY")

def read_file(inputs):
    target = (ALLOWED_ROOT / inputs["filename"]).resolve()
    require(target.is_relative_to(ALLOWED_ROOT))
    audit_log("read_file", inputs["filename"])
    return target.read()

Verification

Confirm the response:

No secrets hardcoded — all credentials loaded from os.environ
File paths resolved and confined to an allowed base directory
Shell calls use argument lists, not shell=True with string input
Every schema string parameter has maxLength, pattern, or enum

References

CWE-284 (Improper Access Control)
CWE-78 (OS Command Injection)
CWE-200 (Exposure of Sensitive Information)
OWASP LLM07:2025 Insecure Plugin Design