MCP-Security-Framework
Verified Safeby JoKFA
Overview
Automated security assessment and vulnerability detection for Model Context Protocol (MCP) servers.
Installation
python mcpsf.py assess @modelcontextprotocol/server-timeEnvironment Variables
- OPENAI_API_KEY
- ANTHROPIC_API_KEY
- GITHUB_TOKEN
- STRIPE_API_KEY
- AWS_ACCESS_KEY_ID
- GOOGLE_API_KEY
- DATABASE_URL
- MONGODB_URL
- REDIS_URL
- HTTP_PROXY
- HTTPS_PROXY
Security Notes
The framework itself is designed with strong security principles, isolating target MCPs in Docker containers and enforcing policies (rate limiting, scope, redaction) via a SafeAdapter. Critical operations like git cloning and running internal commands are performed within these isolated environments. While complex interactions with Docker sockets and `exec_run` carry inherent risks, the implementation shows careful handling (e.g., `shlex.quote`, binary header parsing for `stdio` streams). No direct `eval()` calls by the framework were found. The primary attack surface is the target MCPs it assesses, which it aims to contain securely within sandboxes.
Similar Servers
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers, detecting various vulnerabilities in their implementations.
mcp-security-scanner
A Python-based penetration testing tool designed to scan and identify vulnerabilities in Model Context Protocol (MCP) servers.
mcp-jest
A testing framework for Model Context Protocol (MCP) servers, allowing automated validation of AI agent tools, resources, and prompts.
Mcpwn
Automated security testing framework for Model Context Protocol (MCP) servers, detecting RCE, path traversal, prompt injection, and protocol vulnerabilities.