demo

Community

vcommit-d041bb9-2026-02-16

JSON PDF

Static Verified

Level 1

Static analysis passed. MCP-Scan basic analysis completed with score >= 60.

MSSS: Level 0 (Not Compliant)

Findings

99/100

Global Security Score

Approved for Production

This MCP server has passed all critical security checks and is safe for production deployment.

3 findings

Vulnerability Summary

Critical

High

Medium

Low

Info

3 total findings detected

Medium

Score Breakdown

Security (50% weight) 98

Supply Chain (30% weight) 100

Maturity (20% weight) 100

Global Score (weighted) 99

OWASP MCP Top 10 View full details →

MCP01

Token Exposure

At Risk

MCP02

Privilege Escalation

N/A

MCP03

Tool Poisoning

Mitigated

MCP04

Supply Chain

Mitigated

MCP05

Cmd Injection

Mitigated

MCP06

Prompt Injection

Mitigated

MCP07

Data Leakage

Mitigated

MCP08

Sandboxing

N/A

MCP09

Logging Gaps

Mitigated

MCP10

Covert Channels

N/A

MSSS Certification Level

0 Level 0

Schnellinstallation

npx registry.mcp-hub.info/npm/public/demo@commit-d041bb9-2026-02-16

Sicherheitskontrollen

Other Controls

18/19 passed

No Secrets in Code

Control failed: 3 findings found, score 85.0

MEDIUM FAIL

Code Quality

PASS

Error Handling

PASS

Input Validation

PASS

Logging

PASS

No Critical Vulnerabilities

PASS

No High Vulnerabilities

PASS

No SQL Injection

PASS

No Command Injection

PASS

No Path Traversal

PASS

No Insecure Deserialization

PASS

No XSS Vulnerabilities

PASS

Secure Cryptography

PASS

No Hardcoded Credentials

PASS

Compatible License

PASS

No Copyleft License

PASS

No Deprecated Dependencies

PASS

Pinned Dependencies

PASS

Known Supply Chain

PASS

Security Findings

3 findings:

Filter:

Severity	CVSS	Finding	Class	Location	CWE
medium	—	Potential secret in variable name	E Broken Access Control	—	—
Description Potential secret in variable name Remediation Avoid storing secrets in plaintext variables Confidence low Rule ID MCP-E002
medium	—	Potential secret in variable name	E Broken Access Control	—	—
Description Potential secret in variable name Remediation Avoid storing secrets in plaintext variables Confidence low Rule ID MCP-E002
medium	—	Potential secret in variable name	E Broken Access Control	—	—
Description Potential secret in variable name Remediation Avoid storing secrets in plaintext variables Confidence low Rule ID MCP-E002

Compliance Matrix

Level 0: Integrity Verified

Score: 0/100

Basic digest and schema validation only. No static analysis passed.

Next level requirements: Score ≥ 60, no critical findings, pass Level 1 controls

OWASP MCP Top 10 (2025)

Risk assessment mapped to OWASP MCP security framework v0.1

OWASP Reference

Risk ID	Risk Name	Status	Related Controls	Findings
MCP01	Token Mismanagement & Secret Exposure Hard-coded credentials, long-lived tokens, secrets in logs	At Risk	2/3 controls pass	0
MCP02	Privilege Escalation via Scope Creep Weak scope enforcement, expanding permissions	Not Assessed	No mapped controls	0
MCP03	Tool Poisoning Rug pulls, schema poisoning, tool shadowing	Mitigated	3/3 controls pass	0
MCP04	Software Supply Chain Attacks Dependency tampering, build pipeline attacks	Mitigated	3/3 controls pass	0
MCP05	Command Injection & Execution Shell injection, chained execution, tool-mediated injection	Mitigated	1/1 controls pass	0
MCP06	Prompt Injection via Contextual Payloads Hidden instructions in input, files, or retrieved documents	Mitigated	2/2 controls pass	3
MCP07	Insufficient Authentication & Authorization Missing auth, shared secrets, token replay, impersonation	At Risk	No mapped controls	3
MCP08	Lack of Audit and Telemetry Insufficient logging, no traceability for autonomous workflows	Mitigated	1/1 controls pass	0
MCP09	Shadow MCP Servers Unauthorized instances outside security governance	Not Assessed	No mapped controls	0
MCP10	Context Injection & Over-Sharing Context window leaks, data exposure across sessions	Mitigated	3/3 controls pass	0

Based on OWASP MCP Top 10 v0.1 (2025). Controls and findings are mapped by category and keyword analysis.

3 total findings analyzed

Certification Levels Progress

MSSS certification level progression and control requirements

Integrity Baseline

Static Verified Score ≥ 60

Security Certified Score ≥ 80

Runtime Certified Score ≥ 90

Level 1 -- Static Verified

18/19

Basic analysis, score ≥ 60, no critical findings

94%

No Critical Vulnerabilities
No High Vulnerabilities
No Secrets in Code
No SQL Injection
No Command Injection
No Path Traversal
No Insecure Deserialization
No XSS Vulnerabilities
Secure Cryptography
No Hardcoded Credentials
Compatible License
No Copyleft License
No Deprecated Dependencies
Pinned Dependencies
Known Supply Chain
Code Quality
Error Handling
Input Validation
Logging

Level 2 -- Security Certified

0/0

Full analysis, score ≥ 80, SBOM evidence required

Level 3 -- Runtime Certified

0/0

Score ≥ 90, dynamic analysis, full attestation chain

MSSS Controls Detail

Individual control results grouped by security category

Control	Status	Severity	Evidence
No Critical Vulnerabilities SEC-001	PASS		Control passed: No significant issues found
No High Vulnerabilities SEC-002	PASS		Control passed: No significant issues found
No Secrets in Code SEC-003	FAIL	MEDIUM	Control failed: 3 findings found, score 85.0
No SQL Injection SEC-004	PASS		Control passed: No significant issues found
No Command Injection SEC-005	PASS		Control passed: No significant issues found
No Path Traversal SEC-006	PASS		Control passed: No significant issues found
No Insecure Deserialization SEC-007	PASS		Control passed: No significant issues found
No XSS Vulnerabilities SEC-008	PASS		Control passed: No significant issues found
Secure Cryptography SEC-009	PASS		Control passed: No significant issues found
No Hardcoded Credentials SEC-010	PASS		Control passed: No significant issues found
Compatible License SC-001	PASS		Control passed: No significant issues found
No Copyleft License SC-002	PASS		Control passed: No significant issues found
No Deprecated Dependencies SC-003	PASS		Control passed: No significant issues found
Pinned Dependencies SC-004	PASS		Control passed: No significant issues found
Known Supply Chain SC-005	PASS		Control passed: No significant issues found
Code Quality MAT-001	PASS		Control passed: No significant issues found
Error Handling MAT-002	PASS		Control passed: No significant issues found
Input Validation MAT-003	PASS		Control passed: No significant issues found
Logging MAT-004	PASS		Control passed: No significant issues found

Details

Repository: https://github.com/cr0hn/demo-vulnerable-mcp
Sprache
Lizenz
Neueste Version: commit-d041bb9-2026-02-16
Zuletzt aktualisiert: Feb 16, 2026

Melden Sie sich an, um zur Watchlist hinzuzufügen und personalisierte Empfehlungen zu erhalten

Anmelden

Versionen

commit-d041bb9-2026-02-16 99

Analysis Metadata

Toolchain Version: mcp-scan:1.0.0
Analyzed: 2026-02-16 16:02:34

demo

Static Verified

Approved for Production

Vulnerability Summary

Score Breakdown

OWASP MCP Top 10 View full details →

MSSS Certification Level

Schnellinstallation

Sicherheitskontrollen

Other Controls

Security Findings

Description

Remediation

Description

Remediation

Description

Remediation

MCP Surface Analysis

Attack Surface Analysis

Declared Tools

Resources

Transport Security

Authentication & Secrets

Compliance Matrix

Level 0: Integrity Verified

OWASP MCP Top 10 (2025)

Certification Levels Progress

Level 1 -- Static Verified

Level 2 -- Security Certified

Level 3 -- Runtime Certified

MSSS Controls Detail