// Scans MCP servers in the Dockyard repository for security issues using Cisco AI Defense mcp-scanner. Evaluates findings, identifies false positives, and updates security allowlists in spec.yaml files.
| name | scan-mcp-servers |
| description | Scans MCP servers in the Dockyard repository for security issues using Cisco AI Defense mcp-scanner. Evaluates findings, identifies false positives, and updates security allowlists in spec.yaml files. |
| license | Apache-2.0 |
| compatibility | Requires mcp-scanner installed via 'uv tool install cisco-ai-mcp-scanner' |
| metadata | {"author":"stacklok","version":"1.0"} |
This skill scans MCP servers for security issues and evaluates whether findings are real concerns or false positives. It uses both YARA (pattern-based) and LLM (semantic) analyzers to reduce false positives.
Use this skill when:
mcp-scanner installed via uv tool install cisco-ai-mcp-scannerpyyaml packagescripts/mcp-scan/For enhanced semantic analysis, provide an LLM API key file:
scripts/mcp-scan/README.md for provider configurationSet up the scanner with LLM support (if using):
# Required: Activate venv or ensure mcp-scanner is installed
source .venv-test/bin/activate # if using venv
# Optional: Enable LLM analysis (reduces false positives)
export MCP_SCANNER_LLM_API_KEY="$(cat /path/to/api-key-file)"
export MCP_SCANNER_LLM_MODEL="claude-sonnet-4-20250514" # or gpt-4o, etc.
IMPORTANT: Never hardcode or echo API keys. Always read from files using command substitution.
For a single server:
# Get package info from spec.yaml
config_json=$(python3 scripts/mcp-scan/generate_mcp_config.py <server_path>/spec.yaml <protocol> <server_name>)
command=$(echo "$config_json" | jq -r '.command')
args=$(echo "$config_json" | jq -r '.args')
# Run scan with both analyzers
mcp-scanner --analyzers yara,llm --format raw stdio \
--stdio-command "$command" --stdio-arg "$args"
Or use the Taskfile:
task scan -- <server_path> # e.g., task scan -- npx/context7
For each finding, determine if it's a real issue or false positive:
| YARA Result | LLM Result | Assessment |
|---|---|---|
| SAFE | SAFE | No issue - do not add to allowlist |
| HIGH/MEDIUM | SAFE | Likely false positive - add to allowlist with reason |
| SAFE | HIGH/MEDIUM | Review carefully - LLM may have context YARA missed |
| HIGH/MEDIUM | HIGH/MEDIUM | Real concern - investigate before allowlisting |
AITech-1.1 (Prompt Injection):
AITech-8.2 (Data Exfiltration):
AITech-9.1 (System Manipulation):
AITech-12.1 (Tool Exploitation):
If a finding is a false positive, add it to spec.yaml:
security:
allowed_issues:
- code: "AITech-1.1"
reason: |
Clear explanation of WHY this is a false positive.
Include: what triggered it, why it's safe, version verified.
Allowlist maintenance:
For each scanned server, report:
## Security Scan Report: [Server Name]
### Server Information
- **Package:** [package@version]
- **Protocol:** [npx/uvx/go]
- **Repository:** [upstream repo URL]
### Scan Results
| Tool | YARA | LLM | Code | Status |
|------|------|-----|------|--------|
| tool_name | SAFE/HIGH | SAFE/HIGH | AITech-X.X | Allowlisted/Clean/Needs Review |
### Analysis
[Explanation of findings and why they are/aren't false positives]
### Allowlist Changes Made
- **Added:** [codes added with brief reason]
- **Removed:** [stale codes removed]
- **Retained:** [codes still valid]
### File Modified
[path to spec.yaml if changed]
To scan all servers in the repository:
# Find all servers
find npx uvx go -name "spec.yaml" -type f 2>/dev/null | sort
# Scan each (can be parallelized)
for spec in $(find npx uvx go -name "spec.yaml" -type f); do
server_dir=$(dirname "$spec")
task scan -- "$server_dir"
done
Or use the Taskfile:
task scan-all
| Code | Category | Description |
|---|---|---|
| AITech-1.1 | Prompt Injection | Direct manipulation of model instructions |
| AISubtech-1.1.1 | Instruction Manipulation | Specific injection sub-technique |
| AITech-8.2 | Data Exfiltration | Data leak flows (private data + public sink) |
| AITech-9.1 | System Manipulation | Destructive operations + untrusted content |
| AITech-12.1 | Tool Exploitation | Tool poisoning, shadowing, rug pulls |
The allowlist supports hierarchical matching:
AISubtech-1.1.1 matches allowlist "AITech-1.1" (parent)AITech-8.2.1 matches allowlist "AITech-8.2" (parent)AITech-8.2.1 matches allowlist "AITech-8" (grandparent)Creates spec.yaml configurations for packaging MCP servers as containers. Use when adding a new MCP server to Dockyard, creating a spec.yaml file, or packaging npm/PyPI/Go MCP servers.
Reviews pull requests for MCP server updates in the Dockyard repository. Use when reviewing PRs that update MCP server versions (spec.yaml changes), add new MCP servers, or modify security allowlists. Evaluates against ToolHive registry criteria including security, provenance, and quality.