Auditing MCP Servers for Over-Privileged Tool Capabilities

The Model Context Protocol (MCP) has emerged as a standard for connecting Large Language Models (LLMs) to external tools and data. However, MCP servers often expose privileged capabilities, such as file system access, network requests, and command execution that can be exploited if not properly secured. We present mcp-sec-audit, an extensible security assessment toolkit designed specifically for MCP servers. It implements static pattern matching for Python-based MCP servers and dynamic sandboxed fuzzing and monitoring via Docker and eBPF. The tool detects risky capabilities through configurable rule-based analysis and provides mitigation recommendations.

💡 Research Summary

The paper addresses a critical gap in the security of Model Context Protocol (MCP) servers, which act as the bridge between large language models (LLMs) and external tools. While MCP enables powerful agentic capabilities, it also creates a risk surface: servers often expose privileged operations such as file system access, network communication, and command execution. Existing static application security testing (SAST) tools are not aware of MCP‑specific artifacts (tool metadata, protocol flows) and therefore cannot reliably flag over‑privileged capabilities before deployment.

To fill this void, the authors present mcp‑sec‑audit, an open‑source, extensible security assessment toolkit tailored for MCP servers. The system combines two complementary analysis pipelines:

1. Static Analysis Pipeline – driven by a TOML‑based rulebook that defines “capability families” (e.g., command_exec, file_write, network_outbound) together with associated keywords, regular expressions, severity weights, and confidence scores. The static engine scans Python source files and MCP JSON metadata, producing CapabilityFinding objects for any matches. The rulebook is shared with the dynamic pipeline, enabling a unified knowledge base.

2. Dynamic Analysis Pipeline – executes the target MCP server inside an isolated Docker container equipped with eBPF instrumentation. A protocol‑aware fuzzer injects malicious payloads (shell‑injection strings, path‑traversal vectors, etc.) while the eBPF monitor records low‑level events (syscalls, file I/O, network sockets). These events are serialized as Common Event Format (CEF) logs, parsed, and mapped back to capability categories, providing concrete runtime evidence that can confirm or refute static findings.

The architecture is divided into four layers: Control Plane & Knowledge Base (orchestration core, detector registry, rule loading), Core Analysis Plane (static and dynamic engines), Output Synthesis Plane (risk scoring, mitigation generation, report building), and a Web Detection Portal (interactive UI + RESTful API). A lightweight plugin system allows new detectors (e.g., a TypeScript AST analyzer) to be added without touching the core pipeline logic.

Key Contributions

• An end‑to‑end auditing framework that automatically discovers high‑risk capabilities in MCP servers and outputs deployment‑oriented hardening recommendations (e.g., read‑only Docker mounts, no‑new‑privileges flag).
• A modular pipeline that cleanly separates static pattern matching from dynamic behavior monitoring, yet shares a common TOML rulebook.
• Protocol‑aware detectors that understand both code and MCP tool descriptions, enabling detection of capabilities that are only hinted at in metadata.
• A mitigation recommendation engine that maps detected capabilities to concrete container‑level policies.
• An extensible plugin registry for future language support and custom detectors.

Evaluation The authors evaluate the system on three fronts:

1. Synthetic Malicious Tool – a handcrafted Python script containing command execution, file I/O, and network calls. The static pipeline identifies all three capability families with confidence scores between 0.65 and 0.85, assigns a medium risk level, and produces five mitigation suggestions, all within two seconds and without Docker.

2. MCPTox Benchmark – a publicly available dataset of 45 real‑world MCP servers (491 samples). The tool detects 663 capability instances, achieving a 100 % detection rate for samples that explicitly expose capability indicators in their metadata, and an overall detection rate of 74.7 %. The most frequent capabilities are file_write, tool_sequence_hijack, and prompt_injection. Risk distribution is heavily skewed toward low risk, with an average score of 9.96/100.

3. Vulnerable MCP Servers Lab – a curated repository of nine intentionally vulnerable MCP implementations (2 Python, 7 JavaScript). Static analysis finds all Python‑based issues but misses all JavaScript ones due to lack of a JS parser. Dynamic analysis, however, discovers every vulnerability regardless of language, raising risk scores by an average of 36.2 points compared to static results. The highest dynamic score (65.3) corresponds to a server that uses eval() for remote code execution, confirming four distinct capability categories.

Limitations & Future Work

• Language Coverage: Currently only Python source and JSON metadata are supported; JavaScript/TypeScript static analysis is pending plugin development.
• Precision: Pattern‑based detection can generate false positives (benign code matching risky keywords) and false negatives (obfuscated calls). Incorporating context‑aware heuristics or LLM‑driven semantic analysis could improve accuracy.
• Runtime Requirements: The dynamic pipeline requires a Linux host with eBPF support and privileged Docker containers, which may be a barrier for some CI environments. Future work aims to automate sandbox provisioning and explore alternatives such as macOS DTrace or Windows ETW.
• Mitigation Granularity: Recommendations are currently generic (e.g., “use Docker with no‑new‑privileges”). The authors plan to integrate fine‑grained policy templates (AppArmor, SELinux, CSP) and allow organizations to supply custom mitigation libraries.
• Semantic Validation: While the tool flags prompt‑injection patterns in metadata, it does not verify whether runtime parameter handling respects intended constraints. A hybrid approach that combines static rules, dynamic evidence, and LLM‑based safety evaluation is proposed.

Conclusion mcp‑sec‑audit constitutes the first comprehensive, protocol‑aware security auditing solution for MCP servers. By fusing static pattern matching with eBPF‑backed dynamic fuzzing, it achieves language‑agnostic detection of over‑privileged capabilities and automatically generates actionable hardening guidance. The modular, rule‑driven design ensures extensibility, and the evaluation demonstrates both high detection rates and the added value of runtime verification. The work paves the way for more secure LLM‑agent ecosystems and highlights several promising research directions, including broader language support, semantic analysis, and richer mitigation policy generation.