How to Secure MCP Tools: Risks, Real‑World Cases, and the Open‑Source MCPScan Framework

Large language model (LLM) agents can act as "intelligent operators" that browse the web, query databases, read/write files, and invoke external services. The Model Context Protocol (MCP) enables this capability but also expands the attack surface.

Why a security assessment is needed

Low publishing threshold – anyone can publish a tool, leading to inconsistent code quality and security awareness.

Direct text‑level attacks – tool metadata is read by the model and can be abused for malicious purposes.

Opaque implementation logic – tools may perform sensitive operations such as file access or arbitrary network requests without clear visibility.

Real‑world high‑frequency MCP risks

Command‑execution chain hijacking – Example CVE‑2025‑6514 where an attacker manipulates the mcp‑remote open API, turning a harmless "open file" request into an "execute program" command, allowing execution of the system calculator or other binaries.

Indirect Prompt Injection – When a tool (e.g., a web‑read utility) returns raw page content to the model, a malicious page can embed hidden commands (e.g., "delete file") that the model treats as a legitimate task, leading to file deletion or data leakage.

MCPScan: an open‑source security scanner for MCP tools

GitHub: https://github.com/antgroup/MCPScan

MCPScan is designed for the MCP tool ecosystem. It achieves high recall and high precision by combining two engines:

Static taint analysis (Semgrep) – Detects dangerous API calls such as open, os.system, requests.get and tracks the flow from model/user input to sensitive sinks.

LLM‑driven context evaluation – Classifies explicit high‑risk patterns as vulnerabilities, builds lifecycle summaries (input → tool → model), and determines whether a closed‑loop attack chain exists.

Stage 1 | Static scanning

Identify dangerous APIs (e.g., open, os.system, requests.get) and their parameter sources.

Track controllable flows "model/user input → sensitive sink".

Extract tool metadata for downstream semantic checks.

Stage 2 | Metadata check (optional)

Detect misleading or malicious descriptions, hidden commands, and mismatches between declared and actual functionality.

Stage 3 | Lifecycle & logic review (optional)

Reconstruct call‑parameter‑return chains, generate a lifecycle summary, and classify the risk as HIGH or LOW with an explanatory rationale.

Installation & basic usage

# Install
git clone [email protected]:antgroup/MCPScan.git
cd MCPScan
pip install -e .

# Scan a local repository
mcpscan scan ./my-repo
# Skip metadata check
mcpscan scan ./my-repo --no-monitor-desc
# Scan a remote GitHub repository
mcpscan scan https://github.com/user/repo
# Use custom rules
mcpscan scan ./project -c custom_rules.yml

In a small experiment on the Smithery community sample tools, MCPScan discovered roughly 20 high‑risk services, such as tools that read untrusted content and return it directly to the model, or fetch‑type tools that can be chained with local command‑execution tools to perform destructive actions (e.g., file deletion).

Conclusion

The openness of MCP fuels powerful agents but also magnifies risk. MCPScan provides a systematic pre‑deployment security check, helping tool developers, platform operators, and security researchers to identify exploitable chains, make informed decisions, and reduce the likelihood of real‑world attacks.