// Security review of MCP (Model Context Protocol) server implementations and configurations. Use when auditing MCP server source code, evaluating third-party MCP servers before installation, or reviewing Claude Code MCP integrations for overpermissioning, injection risks, and data exposure.
Audit AI agent configurations for security risks — excessive permissions, prompt injection surfaces, data exfiltration paths, and missing guardrails. Use when reviewing CLAUDE.md files, MCP configs, agent orchestration code, or any AI agent setup.
Assess agentic AI applications against the OWASP Top 10 for Agentic Applications 2026. Use when reviewing autonomous AI agents, multi-agent systems, or agentic workflows for security risks including goal hijacking, tool misuse, privilege abuse, and rogue agent behavior.
Comprehensive LLM security assessment against OWASP Top 10 for LLM Applications 2025. Use when reviewing LLM-integrated applications, RAG pipelines, chatbots, AI agents, or GenAI features. Covers prompt injection, data poisoning, supply chain, excessive agency, and more with real-world attack scenarios and testing methodologies.
Test LLM-integrated applications against known prompt injection techniques, evasion methods, and attack intents using the Arcanum PI Taxonomy. Use when red-teaming AI apps, validating guardrails, or deepening LLM01 (Prompt Injection) assessments.
Comprehensive API security review against OWASP API Security Top 10 (2023). Use when reviewing OpenAPI/Swagger specs, auditing REST/GraphQL/gRPC implementations, testing authentication mechanisms, or checking API gateway configurations. Covers BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, and more with real-world attack scenarios.
Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.
| name | mcp-server-review |
| description | Security review of MCP (Model Context Protocol) server implementations and configurations. Use when auditing MCP server source code, evaluating third-party MCP servers before installation, or reviewing Claude Code MCP integrations for overpermissioning, injection risks, and data exposure. |
| license | CC-BY-4.0 |
Audit an MCP server by following the full procedure in plays/mcp-server-review.md.
Transport & Authentication — Check transport type (stdio vs HTTP/SSE), authentication on network transports, TLS enforcement, CORS policy, origin validation.
Tool Permission Audit — For each exposed tool: document what it claims to do vs what it actually does (read source). Classify as READ-ONLY, MUTATION, DESTRUCTIVE, NETWORK, or CREDENTIAL-ACCESS. Flag tools with broader capabilities than descriptions suggest, free-form inputs, or credential access.
Input Validation & Injection — For each tool parameter: check for command injection (shell interpolation), path traversal (../ in file paths), SQL injection (unparameterized queries), SSRF (user-supplied URLs hitting internal services), and template injection.
Data Exposure — Assess MCP resources for secrets/PII leakage, tool outputs for excessive data, error messages for internal paths/stack traces, and logging for sensitive data capture.
Scope & Sandboxing — Check file system restrictions, network scope (can it reach cloud metadata 169.254.169.254?), process permissions, resource limits, and dependency surface.
Supply Chain — Verify source trustworthiness, run SCA on dependencies, check for lockfiles and reproducible builds, assess update mechanism.
Client Configuration — Review MCP client config for absolute/specific server paths, minimized env var passthrough, and command injection safety in args.
Server overview, tool risk matrix, findings using templates/finding.md, and specific configuration recommendations.
