MCP Servers
An MCP server is a process that exposes external tools to an agent over the Model Context Protocol (MCP), the open standard agents use to discover and call capabilities outside their own runtime. Because the agent reads each tool’s name and description as trusted context, an MCP server’s risks are tool poisoning, credential exposure, and unsafe tool calls. SaferSkills scans MCP servers fully in v1.
What is an MCP server?
Section titled “What is an MCP server?”MCP is a cross-agent transport standard: a server advertises a set of tools — each with a name, a description, and a schema — and any MCP-capable agent can connect to it and call those tools. This is what lets one agent reach a database, a file system, a ticketing system, or an internal API without that integration being baked into the agent itself.
Because MCP is a shared protocol, an MCP server is the most broadly compatible capability kind — every supported agent (Claude Code, Cursor, Codex, Copilot, Windsurf, Cline, Gemini, OpenClaw) can consume it. That reach is also why a single poisoned MCP server can affect many users across many agents.
What are the risks of an MCP server?
Section titled “What are the risks of an MCP server?”The agent treats a tool’s description as instructions, so the description text is a security surface — the same surface attackers target. Three risks dominate:
- Tool poisoning. Malicious instructions hidden in a tool description are invisible to the user but read by the model. Invariant Labs coined the Tool Poisoning Attack in April 2025; their published proof-of-concept used a poisoned tool to extract a user’s
~/.cursor/mcp.jsonand SSH keys, and an “email shadowing” variant silently rerouted mail. OWASP lists this as MCP03:2025 Tool Poisoning in the MCP Top 10. SaferSkills detects it with rules such asSS-MCP-POISON-DESCRIPTION-CREEP-01(oversized tool description),SS-MCP-POISON-UNICODE-TAG-01(invisible Unicode in a tool description), andSS-MCP-POISON-SHADOW-TOOL-01(a shadow tool registration). - Credential exposure. An MCP server runs with the privileges of the connecting agent and can be steered to read tokens, key files, or environment secrets — the exact outcome the Invariant Labs PoC demonstrated.
- Unsafe tool calls. A server can declare capabilities it does not document, or invoke subprocesses the manifest never declares — SaferSkills flags this with
SS-MCP-CAP-UNDECLARED-01(an undeclared subprocess capability).
The MCP layer has also produced named 2025 CVEs — for example CVE-2025-6514 (mcp-remote RCE) — underscoring that these are live, exploited surfaces.
How does SaferSkills scan an MCP server?
Section titled “How does SaferSkills scan an MCP server?”SaferSkills runs the same deterministic static scan it runs for every capability: a 0–100 aggregate score built from five weighted sub-scores, with each finding anchored to a static rule_id and a quotable line of evidence. Tool-poisoning findings land in the Security sub-score (35% of the weight); an active critical finding caps the whole aggregate at ≤15. There is no LLM in the verdict path, so an MCP server’s score is reproducible byte-for-byte.
A low score means review before use — read the findings and the evidence, then decide. See How scoring works for the full model, or the live methodology page for every MCP rule.
Where do I go next?
Section titled “Where do I go next?”- How scoring works — the 0–100 model in one page.
- Glossary — including tool poisoning and prompt injection.
- Skills — the other fully-scanned capability kind in v1.