MCP Security

MCP Server Pre-Flight Check

Audit any MCP server for security vulnerabilities before installation. Detects tool poisoning, confused deputy attacks, and data flow risks.

MCP audits are one part of securing AI agents end-to-end — alongside AGENTS.md governance verification, delegation-loop detection, and tool-binding analysis.

Audit an MCP Server View on GitHub

MCP CVE Wall — live 2026 incidents

3,000+ MCP servers exposed in one disclosure. Multiple disclosed CVEs across 2025-2026.

MCP exploded in adoption in 2025-2026. The security state hasn't kept up. We're publishing this wall — every incident sourced to public reporting — so MCP operators have one place to track ecosystem risk.

CRITICALClawHavoc — 1,184 malicious skills (CVE-2026-25253)

Koi Security found 341 → 1,184 compromised packages in the OpenClaw supply chain (Jan-Feb 2026). One-click remote code execution via malicious link. Patched in OpenClaw v2026.1.29.

CRITICALSmithery.ai path-traversal — 3,000+ MCP servers exposed

GitGuardian disclosed June 13, 2025; Smithery patched June 15. Path-traversal in the “dockerBuildPath” property of smithery.yaml allowed arbitrary code execution on over 3,000 hosted MCP servers — exposing API keys, auth tokens, and live client traffic. No evidence of exploit in the wild. SC Media coverage.

HIGHCVE-2026-33032 — Anthropic STDIO disclosure

Local-server-compromise vector in STDIO-mode MCP servers. Patched, but every self-hosted MCP server running on a developer's machine should be re-verified for sandboxing.

HIGHCisco research: 26% of 31,000 agent skills have ≥1 vulnerability

Early-2026 Cisco analysis of 31,000 agent skills found at least one vulnerability in 26% of them. Led to Cisco's DefenseClaw open-source release.

ONGOINGPattern: hosted MCP servers using long-term static credentials

Per GitGuardian's research on the Smithery disclosure: the majority of MCP servers do not rely on OAuth for authentication; instead, authentication is performed using static, long-term credentials. This makes a single token compromise broadly damaging across the ecosystem.

Inkog audits MCP servers for the 6 attack categories in the MCP spec (confused deputy, token passthrough, SSRF, session hijacking, local-server compromise, scope minimization). Scan any server in 60 seconds — see the next section for how.

Why Audit MCP Servers?

Third-party risk

MCP servers from registries can contain malicious tool descriptions that manipulate AI behavior.

Hidden instructions

Tool poisoning attacks embed commands in descriptions that AI agents follow as legitimate guidance.

Missing authorization

Confused deputy vulnerabilities let attackers use the AI to access resources they shouldn't.

What Inkog Detects

Tool Poisoning—Malicious instructions hidden in tool descriptions

Confused Deputy—Missing authorization checks enabling privilege abuse

Data Exfiltration—Patterns that could leak sensitive data to external endpoints

Privilege Escalation—Tool chaining that bypasses permission boundaries

Input Validation—Missing sanitization on tool parameters

How to Audit

Via CLI

inkog audit-mcp github

Via Claude Desktop

# Install the Inkog MCP server, then ask Claude:
"Audit the filesystem MCP server for security issues"

Via API

curl -X POST https://api.inkog.io/v1/mcp/audit \
  -H "Authorization: Bearer $INKOG_API_KEY" \
  -d '{"server_name": "github"}'

Learn More

What is MCP Server Security?Tool Poisoning Attacks Confused Deputy Vulnerabilities

Audit Before You Install

Don't trust MCP servers blindly. Scan them first.

Start MCP Audit