MCP Security: Scanning Model Context Protocol Servers

MCP security is the practice of finding and fixing vulnerabilities in Model Context Protocol servers — the tools that give AI agents access to data and actions. The core risks are tool poisoning, confused-deputy attacks, credential smuggling, and unsafe discovery endpoints. MEDUSA scans MCP server code and configs for these with 600+ dedicated protocol rules.

What is MCP, and why is it a security problem?

The Model Context Protocol (MCP) is an open standard that lets AI agents connect to external tools, data sources, and services through a common interface. An MCP server exposes "tools" — functions the model can call — along with their descriptions and schemas. That description text is fed straight into the model's context, which is exactly what makes MCP a new attack surface: the data an MCP server returns can carry instructions the agent will follow.

Traditional SAST tools were never designed to reason about this. They look for injection and unsafe calls in code, not for a tool description that quietly tells an agent to exfiltrate a secret. MCP security needs rules that understand the protocol's trust boundaries.

The MCP attack surface

Tool poisoning

A malicious or compromised MCP server embeds hidden instructions in a tool's name, description, or output. When the agent reads that text, it acts on the injected instruction — leaking data, calling other tools, or altering its behaviour. Because the payload lives in metadata the user never sees, tool poisoning is invisible in a normal review.

Confused-deputy & cross-tool exploitation

An agent with access to several MCP servers can be tricked into using a privileged tool on behalf of an attacker who only controls a low-privilege one — the classic confused-deputy pattern, applied to agent tool-calls. One poisoned tool can pivot through the others.

Credential smuggling & unsafe discovery endpoints

MCP servers frequently broker API keys and OAuth tokens. Weak handling lets those credentials leak through tool responses or logs, and permissive discovery endpoints expose more of the server's capability surface than intended. CVE-2025-6514 demonstrated remote code execution against MCP servers in the wild — proof this is not theoretical.

How MEDUSA detects MCP vulnerabilities

MEDUSA is an AI-first security scanner with 600+ rules for MCP and the emerging agent protocols (MCP, UCP, AP2, ACP), part of 40,000+ total detection patterns across 79 scanners. It statically analyses MCP server code and configuration for tool poisoning signatures, confused-deputy patterns, credential handling flaws, unsafe discovery endpoints, and known CVEs — with zero setup:

pip install medusa-security
medusa scan .

Vet an MCP server before you install it

Most MCP risk arrives when you add someone else's server. MEDUSA can scan a remote repository — including poisoned AI-editor configs like mcp.json, .cursor/mcp.json, and .claude/ hooks and skills — before you ever clone or run it:

medusa scan --git https://github.com/org/mcp-server

This is the forward-first check that belongs in front of every third-party MCP server you adopt, and in CI for the servers you build.

Scan your MCP servers now

Free, open source (AGPL-3.0), and zero setup. Get a full MCP security audit in seconds.

Install MEDUSA Free

See the full detection coverage or read the documentation.