How mcp-security-audit scans MCP servers for injection — the 9 categories, and what tripped in Microsoft's servers

[manja316]

Opening the first thread here to seed the conversation — this is a methodology post, not a pitch. If you run MCP servers (your own or third-party uvx/npx ones you've added to Claude/Cursor), the question worth asking is: what did you actually grant that server permission to do, and could its tool descriptions be turned against the model?

What mcp-security-audit actually checks

It connects to any MCP server, enumerates every tool / resource / prompt, and runs four passes:

1. Tool risk classification — every tool is bucketed SHELL / FILE / DATABASE / NETWORK / SAFE. A "harmless" formatting tool that secretly shells out is the thing that bites you.
2. Injection-pattern scan — tool and prompt descriptions are scanned for 75 patterns across 9 categories (instruction override, exfiltration lures, role confusion, hidden-unicode, etc.). The description is part of the model's context, so a malicious one is a prompt-injection vector before any tool is even called.
3. Resource-URI analysis — flags servers that expose sensitive paths (.env, .ssh, credential stores).
4. High-risk ratio — warns when >50% of a server's surface is FILE/SHELL level.

Output is a single 0–100 score with an A–F grade, so it drops straight into CI:

mcp-audit scan --server "uvx some-server" || echo "audit failed"   # exit 1 on C/D/F

Why this isn't theoretical

I pointed it at Microsoft's published MCP servers and it surfaced 20 distinct findings — write-up here: https://dev.to/manja316/i-audited-microsofts-mcp-servers-and-found-20-vulnerabilities-139e . Big-vendor servers are not automatically safe; the attack surface is the descriptions as much as the code.

Two things I'd genuinely like answers to

• What category am I missing? The 9 injection categories are opinionated. If you've seen an injection style in the wild that wouldn't trip any of the above, drop it here — I'll add a pattern for it.
• Scoring weights: right now SHELL/FILE tools dominate the deduction. Is that the right bias, or are NETWORK exfiltration paths underweighted?

Run it on a server you actually use and paste the grade — curious what the spread looks like across real-world servers:

pip install mcp-security-audit
mcp-audit scan --server "<your server cmd>"

If you want a written-up professional report instead of the raw CLI output, that's the paid audit — but the CLI is free and MIT, and the methodology above is the whole game.