Skip to content

feat: add 2 MCP security detection rules#458

Open
NY1024 wants to merge 1 commit into
Tencent:mainfrom
NY1024:add-mcp-security-rules-v2
Open

feat: add 2 MCP security detection rules#458
NY1024 wants to merge 1 commit into
Tencent:mainfrom
NY1024:add-mcp-security-rules-v2

Conversation

@NY1024

@NY1024 NY1024 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor
  • mcp_prompt_injection_tool_results: detect indirect prompt injection delivered through MCP tool results where attacker-controlled content (web pages, files, RAG retrievals) is returned unsanitized to the host agent, enabling context hijacking and unauthorized tool chaining. Based on OWASP LLM Top-1 (Prompt Injection).

  • mcp_excessive_permissions: detect MCP tools that exercise permissions (broad filesystem access, unrestricted network, shell execution, credential store reads) beyond their stated functionality. Based on Docker security advisory (Aug 2025) and CVE-2025-6514 affecting ~500k dev environments.

- mcp_prompt_injection_tool_results: detect indirect prompt injection
  delivered through MCP tool results where attacker-controlled content
  (web pages, files, RAG retrievals) is returned unsanitized to the host
  agent, enabling context hijacking and unauthorized tool chaining.
  Based on OWASP LLM Top-1 (Prompt Injection).

- mcp_excessive_permissions: detect MCP tools that exercise permissions
  (broad filesystem access, unrestricted network, shell execution, credential
  store reads) beyond their stated functionality. Based on Docker security
  advisory (Aug 2025) and CVE-2025-6514 affecting ~500k dev environments.
@boy-hack

boy-hack commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Code Review: feat: add 2 MCP security detection rules

✅ Strengths

  • mcp_prompt_injection_tool_results — targets a real and critical OWASP LLM Top-10 (LLM01) attack vector: indirect prompt injection via untrusted tool responses. Well-scoped detection criteria.
  • mcp_excessive_permissions — covers overly broad tool capabilities (filesystem, network, shell, credential store) beyond stated purpose. Aligns with Principle of Least Privilege.
  • Both rules follow the correct YAML schema with info, prompt_template, and response_format.

⚠️ Minor Issues

  1. mcp_prompt_injection_tool_results.yaml: The detection focus is on "does the tool return unsanitized external content to the LLM?" — this is a design-level audit. Consider clarifying in prompt_template whether the agent should look for the absence of output sanitization or the presence of known injection payloads, to reduce false positives.
  2. mcp_excessive_permissions.yaml: The rule correctly identifies over-scoped tools, but the response_format could benefit from a severity field (currently not present in either rule). Check if other MCP rules include severity — e.g., mcp_tool_poisoning.yaml.

🟢 Verdict

LGTM. These rules address important MCP threat classes that are currently underdetected.
Waiting for @pythoncheng or @boy-hack to merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants