MCP Trap
Methodology

Every rule cites a primary source.

MCP Trap derives findings from public research, advisories, and empirical surveys of the MCP ecosystem. If a rule does not have a citation, it does not ship.

Five non-negotiable design constraints

  1. Every static rule cites a primary source inline. No citation, no rule.
  2. Adversarial test cases are derived from published research, not LLM-generated freeform.
  3. No live scanning of arbitrary URLs from our infrastructure. Live probing runs from your machine via the open-source mcptrap-probe CLI; we are a JSON sink, never an outbound fetcher.
  4. No security score. Findings only.
  5. Scope is MCP and tool-call schemas, not generic agent red-teaming.

Sources, and what they back

  • Invariant Labs 2025-04
    MCP security notification: tool poisoning attacks
    • tool-poisoning-imperatives rule
    • cross-tool-name-reference rule
    • description-poisoning-aux-tool corpus pattern
    • cross-tool-shadowing corpus pattern
  • Invariant 2025-05 (GitHub MCP exfil)
    GitHub MCP vulnerability
    • Background for indirect injection corpus patterns
  • Trail of Bits 2025-04
    Jumping the line: how MCP servers can attack you before you ever use them
    • hidden-unicode-in-description rule
    • oversize-description rule
    • unicode-bidi-confusable corpus pattern
  • Radosevich and Halloran 2025 (MCPSafetyBench)
    MCP Safety Audit
    • Background for static rule severity calibration
  • Hou et al. 2025
    Model Context Protocol: landscape, security threats, and future research directions
    • missing-scope-or-permission rule
    • semantic-mismatch LLM rule
  • Zhan et al. 2024 (InjecAgent)
    InjecAgent: benchmarking indirect prompt injections in tool-using agents
    • Background for indirect-injection corpus patterns
  • Greshake et al. 2023
    Not what you've signed up for: compromising real-world LLM-integrated applications with indirect prompt injection
    • trust-flow LLM rule
    • direct-injection-user corpus pattern
    • indirect-injection-tool-output corpus pattern
    • tool-output-as-instructions corpus pattern
  • Ruan et al. 2024 (ToolEmu)
    Identifying the risks of LM agents with an LM-emulated sandbox
    • confused-deputy-broad-network rule
    • capability-composition LLM rule
  • Equixly 2025
    MCP servers: the new security nightmare (43% of 100 servers had a command-injection-class flaw)
    • untyped-string-sensitive-op rule
    • argument-smuggle-oversize-string corpus pattern
    • argument-smuggle-control-chars corpus pattern
  • OWASP API Security Top 10 (2023)
    OWASP API Security Top 10
    • json-injection-prone-shape rule

How LLM-derived findings are labeled

Findings produced by LLM analyses are tagged llm-suggested in the UI. They never override deterministic findings, only add new ones. Treat them as a discovery aid, not ground truth. Cached by input hash so the same schema produces the same suggestions.