MCP Security Checklist: A Guide to AI Tool Ecosystem Security

Background

This security checklist, authored and maintained by @SlowMist_Team, aims to enhance the security of the blockchain and artificial intelligence ecosystems. We extend our gratitude to FENZ.AI for their valuable contributions to this checklist.

Overview

Since its release in late 2024, MCP has found widespread adoption in leading AI applications such as Claude Desktop and Cursor. However, the rapid proliferation of MCP has introduced new security challenges. The current MCP architecture comprises three key components: the Host (the locally running AI application environment), the Client (responsible for communication with the Server and tool invocation), and the Server (the backend service corresponding to the MCP plugin). Users interact with the AI through the Host, while the Client parses user requests and forwards them to the MCP Server for tool execution or resource access. This architecture, particularly in scenarios involving multiple instances and collaborative components, exposes a range of security risks. These risks are especially pronounced in sensitive contexts such as cryptocurrency transactions or the adaptation of LLM custom plugins, necessitating appropriate security measures for effective management.

Therefore, the creation and adherence to a comprehensive MCP security checklist are of paramount importance. This checklist encompasses security considerations for user interaction interfaces, client-side components, service plugins, multi-MCP collaboration mechanisms, and specific domains such as cryptocurrency scenarios. It aims to assist developers in systematically identifying potential risks and proactively mitigating them. By implementing these security measures, the overall stability and controllability of MCP systems can be significantly enhanced, ensuring that the security of AI applications keeps pace with their rapid development.

How to Use

This checklist is based on potential risk areas encountered during audits of MCP projects and is designed to help developers ensure the security of MCP implementations. We use three levels of priority to indicate the importance of each item:

🟢️ Indicates a recommended item that can be omitted in specific circumstances.
🔶 Indicates a strongly recommended item that can be omitted in exceptional cases; omission may have negative security implications.
🟥️ Indicates an item that should never be omitted; removing these elements may lead to system failure or security vulnerabilities.

MCP Server (MCP Plugin) Security

MCP servers are external services that provide tools, resources, and functionalities for AI invocation. They typically contain resources, tools, and prompts. Here are key considerations for securing MCP servers:

API Security

Input Validation: 🟥️ Rigorously validate all API inputs to prevent injection attacks and illegal parameters. This includes validating data types, lengths, and formats, as well as sanitizing and escaping inputs.
API Rate Limiting: 🔶 Implement API call rate limits to prevent abuse and attacks. This prevents malicious users from overwhelming the server by sending a large number of requests.
Output Encoding: 🔶 Properly encode API outputs to prevent cross-site scripting (XSS) attacks. This includes encoding outputs such as HTML, JavaScript, and URLs.

Server Authentication and Authorization

Access Control: 🟥️ Implement role-based access control to restrict resource access and enforce the principle of least privilege. Only authorized users should be able to access specific resources.
Credential Management: 🟥️ Securely manage and store service credentials, avoiding hardcoding and using key management services. This includes using encryption to store credentials and rotating them regularly.
External Service Authentication: 🟥️ Use secure methods to authenticate with third-party services. This includes using secure protocols such as OAuth 2.0 or SAML.
Least Privilege: 🔶 Run service processes with the minimum necessary permissions to reduce the potential attack surface and the risk of privilege escalation. This means the service should only have the permissions it needs to perform its functions.
API Key Rotation: 🔶 Regularly and automatically rotate API keys and service credentials to limit key validity periods. This can reduce the risk of key leakage.
Service Authentication: 🔶 Provide mechanisms for tools to verify service identity, facilitating client verification and secure usage. This can help clients verify that they are communicating with a trusted service.

Backend Persistence Control

Lifecycle Management: 🟥️ Implement strict MCP plugin lifecycle management, synchronized with the client. Plugins should be properly started and stopped when they are no longer needed.
Shutdown Cleanup: 🟥️ Forcefully clean up all MCP backend processes when the client shuts down. This prevents malicious plugins from continuing to run after the client has closed.
Health Check Mechanism: 🔶 Regularly check the status of MCP plugins to identify abnormal persistence. This can help identify plugins that are not running correctly.
Background Activity Monitoring: 🔶 Monitor and log all MCP background activity. This can help identify malicious activity.
Activity Restrictions: 🔶 Limit the types of actions and durations that MCP plugins can execute in the background. This can reduce the damage caused by malicious plugins.

Deployment and Runtime Security

Isolated Environment: 🟥️ Run services in isolated environments (containers, VMs, sandboxes) to prevent escape and lateral movement attacks. This prevents malicious services from affecting other services or the system.
Container Security: 🟥️ Use hardened container security configurations and run as non-root users, implement immutable infrastructure, and provide runtime protection. This can improve the security of containers.
Secure Boot: 🔶 Verify the integrity of the service startup process, implement a secure boot chain, and perform integrity checks. This can prevent malicious services from being injected during startup.
Environment Variable Security: 🔶 Protect sensitive environment variables and avoid leaking them in logs. This can prevent malicious users from accessing sensitive information.
Resource Limits: 🔶 Implement resource usage limits to prevent large language models from making a large number of cyclical and repetitive calls in case of errors. This can prevent malicious services from exhausting system resources.

Code and Data Integrity

Integrity Verification Mechanism: 🟥️ Use mechanisms such as digital signatures and hash checksums to ensure that the code has not been tampered with. This can prevent malicious users from modifying the code.
Remote Verification: 🔶 Support mechanisms for remotely verifying code integrity. This allows remote users to verify whether the code has been tampered with.
Code Obfuscation and Hardening: 🟢️ Apply code obfuscation and hardening techniques to increase the difficulty of reverse engineering. This can make it more difficult for malicious users to understand and modify the code.

Supply Chain Security

Dependency Management: 🟥️ Securely manage third-party dependencies. This includes tracking dependencies, ensuring they are up-to-date, and scanning them for vulnerabilities.
Package Integrity: 🟥️ Verify the integrity and authenticity of packages. This can prevent malicious users from injecting malicious packages.
Source Verification: 🔶 Verify the source of all code and dependencies. This can help ensure that the code comes from a trusted source.
Build Security: 🔶 Ensure that the build process is secure. This includes using secure build tools and ensuring that the build environment is secure.

Monitoring and Logging

Anomaly Detection: 🟥️ Detect and report abnormal activity patterns. This can help identify malicious activity.
Detailed Logging: 🟥️ Log all service activity and security events. This can help investigate security incidents.
Security Event Alerting: 🟥️ Configure real-time alerts for critical security events. This can help respond to security events in a timely manner.
Centralized Log Management: 🔶 Centrally collect and analyze logs. This can provide a more comprehensive view of security events.
Log Integrity: 🔶 Ensure log integrity to prevent tampering. This can prevent malicious users from deleting or modifying logs.
Audit Capability: 🔶 Support detailed auditing and incident investigation. This can help determine the cause of security incidents.

Call Environment Isolation

Inter-MCP Isolation: 🟥️ Ensure operational isolation between multiple MCP services. This can prevent malicious MCP services from affecting other MCP services.
Resource Access Control: 🟥️ Assign clear resource access permission boundaries for each MCP service. This can limit the resources that a malicious MCP service can access.
Tool Permission Separation: 🔶 Tools in different domains use different permission sets. This can reduce the damage caused by malicious tools.

Platform Compatibility and Security

System Resource Isolation: 🟥️ Implement appropriate resource isolation strategies based on different operating system characteristics. This can prevent malicious services from affecting other services or the system.
Cross-Platform Compatibility Testing: 🔶 Test the security behavior consistency of MCP services on different operating systems and clients. This can ensure that services are secure on all platforms.
Platform-Specific Risk Assessment: 🔶 Assess the unique security risks and mitigation measures for specific platforms. This can help identify and mitigate platform-specific security risks.
Client Difference Handling: 🔶 Ensure that security controls can adapt to differences in various client implementations. This can ensure that services are secure with all clients.

Data Security and Privacy

Data Minimization: 🟥️ Collect and process only the necessary data. This can reduce the risk of data leakage.
Data Encryption: 🟥️ Encrypt sensitive data in storage and in transit. This can prevent malicious users from accessing sensitive information.
Data Isolation: 🟥️ Effectively isolate data from different users. This can prevent malicious users from accessing other users’ data.
Data Access Control: 🟥️ Implement strict data access control. This can limit access to data.
Sensitive Data Identification: 🟥️ Automatically identify and handle sensitive data specially. This can help prevent sensitive data from being leaked.

Resource Security

Resource Access Control: 🟥️ Implement fine-grained resource access control. This can limit access to specific resources.
Resource Limits: 🔶 Limit the size and quantity of individual resources. This can prevent malicious users from exhausting system resources.
Resource Template Security: 🔶 Ensure that resource template parameters are validated and sanitized. This can prevent malicious users from injecting malicious code.
Sensitive Resource Tagging: 🔶 Tag and specially handle sensitive resources. This can help prevent sensitive resources from being leaked.

Tool Implementation Security

Secure Coding Practices: 🟥️ Follow secure coding standards and best practices. This can reduce the number of vulnerabilities in the code.
Tool Isolation: 🟥️ Tool execution is performed in a controlled environment to prevent system-level impact. This can prevent malicious tools from affecting other services or the system.
Input Validation: 🟥️ Strictly validate all inputs from the client. This can prevent malicious users from injecting malicious code.
Tool Permission Control: 🟥️ Each tool has only the minimum permissions required to complete the task. This can reduce the damage caused by malicious tools.
Data Validation: 🟥️ Validate the data processed by the tool to prevent injection and tampering. This can prevent malicious users from injecting malicious data.
Tool Behavior Constraints: 🟥️ Limit the scope and type of operations that the tool can perform. This can reduce the damage caused by malicious tools.
Third-Party Interface Return Information Security: 🟥️ Verify that the interface return information meets expectations and do not directly insert the return information into the context. This can prevent malicious tools from using third-party interfaces.
Error Handling: 🔶 Handle errors securely without leaking sensitive information. This can prevent malicious users from exploiting error information.
Namespace Isolation: 🔶 Implement strict namespace isolation for different tools. This can prevent conflicts between tools.

MCP Client/ MCP Host Security

The host is the environment where the AI application and MCP client run, and is the entry point for end-user interaction with the AI system. The client is a component within the AI application that is responsible for communicating with the MCP service, processing context, invoking tools, and displaying results. Here are the key considerations for protecting MCP clients and hosts:

User Interaction Security

User Interface Security: 🟥️ The user interface clearly displays the scope and potential impact of AI operations, providing intuitive security indicators. This can help users understand the permissions they are granting to the AI.
Sensitive Operation Confirmation: 🟥️ High-risk operations (such as file deletion, fund transfers) require explicit user confirmation. This can prevent users from accidentally performing high-risk operations.
Permission Request Transparency: 🟥️ Permission requests clearly state the purpose and scope, helping users make informed decisions and avoid over-authorization. This can help users understand the permissions they are granting to the AI.
Operation Visualization: 🔶 Tool calls and data access are visible and auditable to the user, providing detailed operation logs. This can help users understand what operations the AI is performing.
Information Transparency: 🔶 Tools should allow users to choose whether to display hidden tags by default, ensuring that the context that users see is complete and consistent with the actual generated and invoked context, and preventing malicious logic from existing in hidden tags.
Status Feedback: 🔶 Users can clearly understand the current MCP operations being performed.

AI Control and Monitoring

Operation Logging: 🟥️ Log all important AI operations and their results. This can help investigate security incidents.
Anomaly Detection: 🔶 Detect abnormal tool call patterns or request sequences. This can help identify malicious activity.
Tool Call Limits: 🔶 Implement limits on the frequency and number of tool calls. This can prevent malicious users from abusing tools.

Local Storage Security

Secure Credential Storage: 🟥️ Use system keychains or dedicated encrypted storage to protect authentication credentials for important credentials, preventing unauthorized access. This can prevent malicious users from accessing credentials.
Sensitive Data Isolation: 🔶 Implement data isolation mechanisms to store and process sensitive user data separately from normal data. This can prevent malicious users from accessing sensitive data.

Application Security

Application Integrity: 🟥️ Verify the integrity of the application and MCP plugins to prevent tampering. This can prevent malicious users from modifying the application.
Update Verification: 🔶 Host application updates are digitally signed and verified. This can ensure that updates come from a trusted source.
Application Sandbox: 🟢️ Run applications in a sandbox environment as much as possible to limit system access. This can reduce the damage caused by malicious applications.

Client Authentication and Authorization

Mandatory Authentication: 🟥️ Enforce authentication before communicating with any important MCP service to prevent anonymous access. This can prevent unauthorized users from accessing services.
OAuth Implementation: 🔶 Correctly implement OAuth 2.1 or later processes, following best practices and security standards. This can ensure that authentication is secure.
State Parameter: 🔶 Implement state parameters for some web clients to prevent CSRF attacks, using a unique random value for each request. This can prevent cross-site request forgery (CSRF) attacks.

MCP Tool and Server Management

MCP Tool Verification: 🟥️ Verify the authenticity and integrity of registered tools. This can prevent malicious tools from being registered.
Secure Updates: 🟥️ MCP clients regularly check and apply security updates, verifying whether the updated tool contains malicious descriptions. This can ensure that tools are up-to-date and do not contain malicious code.
Function Name Verification: 🟥️ Check for name conflicts and potential malicious overrides before registering a tool. This can prevent malicious tools from overwriting existing tools.
Malicious MCP Detection: 🟥️ Monitor and identify behavioral patterns of potentially malicious MCPs. This can help identify malicious MCPs.
MCP Tool Naming Control: 🔶 Use namespaces or unique identifiers to prevent naming conflicts. This can prevent conflicts between tools.
Service Directory: 🔶 Maintain an authorized directory of trusted MCP services and tools. This can help users find trusted services.
Conflict Resolution: 🔶 There are clear rules for resolving conflicts between tools with the same name.
Domain Isolation: 🔶 Tools from different domains are isolated from each other to prevent cross-impact.
Priority Mechanism: 🔶 Establish clear function priority rules to avoid malicious overrides.
Version Control: 🔶 Implement version control for functions and tools to detect changes.
Tool Registration and Deregistration Mechanism:🔶 Define clear processes for tool registration and deregistration to prevent security risks from legacy tools.
Conflict Detection Mechanism: 🔶 Detect and resolve function and resource conflicts in multi-MCP environments.
Tool Classification: 🟢️ Classify tools according to sensitivity and risk level.

Prompt Security

Prompt Injection Defense: 🟥️ Implement multi-layer defense measures to prevent prompt injection attacks, including manual verification of key executions.
Malicious Instruction Detection: 🟥️ Establish mechanisms to detect and block potentially malicious user instructions to avoid system manipulation, such as detecting and blocking preloaded malicious instructions during local initialization, and malicious tools from third-party MCP servers containing hidden harmful instructions.
System Prompt Protection: 🟥️ Clearly separate system prompts from user input to prevent tampering.
Sensitive Data Filtering: 🟥️ Filter sensitive personal data from prompts and contexts.
Context Isolation: 🔶 Ensure that context content from different sources is isolated from each other to prevent context pollution and information leakage.
Prompt Templates: 🔶 Use secure prompt templates to reduce the risk of injection.
Tool Description Verification: 🔶 Check tool descriptions for potential malicious instructions.
Prompt Consistency Verification: 🔶 Ensure that the same prompt produces predictable and consistent results in different environments.
Historical Context Management: 🔶 Define clear security cleanup mechanisms for historical context to prevent information leakage risks caused by the accumulation of old data.

Logs and Audits

Client Logging: 🟥️ Log all interactions with MCP services, tool calls, and authorization activity.
Security Event Logging: 🟥️ Log all security-related events, including authorization failures.
Anomaly Alerting: 🔶 Detect and alert on abnormal activity patterns.

Server Verification and Communication Security

Server Authentication: 🟥️ Verify the identity of the MCP server to prevent connecting to malicious servers and implement certificate pinning.
Certificate Verification: 🟥️ Strictly verify TLS certificates from remote servers to prevent man-in-the-middle attacks and check certificate chain integrity.
Communication Encryption: 🟥️ All client-server communication uses TLS 1.2+ encryption, disabling weak cipher suites.
Secure Protocol Configuration: 🔶 Configure secure TLS parameters and regularly audit and update encryption algorithms and protocols.

Permission Token Storage and Management

Permission Scope Limitation: 🟥️ Strictly limit the permission scope of tokens and implement the principle of least privilege.

Automatic Approval Control

Automatic Approval Limitation: 🟥️ Strictly control the scope of tools and operations that can be automatically approved.
Whitelist Management: 🔶 Clearly define the whitelist mechanism for automatically approvable tools.
Dynamic Risk Assessment: 🔶 Dynamically adjust automatic approval policies based on context.
Approval Process Audit: 🔶 Record and audit all automatic approval decisions.

Sampling Security

Context Inclusion Control: 🟥️ Strictly control the scope of the context included in sampling requests.
Sensitive Data Filtering: 🟥️ Filter sensitive data from sampling requests and responses.
Sampling Request Verification: 🔶 Verify all sampling request parameters and content.
User Control: 🔶 Ensure that users have clear control over sampling requests and results.
Model Preference Security: 🔶 Securely handle model preference information to prevent abuse.
Result Verification: 🔶 Verify that the sampling results meet security standards.

MCP Adaptation and Invocation Security on Different LLMs

Different LLM backends may have different priorities and execution logic for MCP calls, so it is necessary to pay attention to the combined security of LLM and MCP.

LLM Secure Execution

Prioritized Function Execution: 🟥️ Ensure that LLMs can prioritize the execution of functions in the correct plugins.
Malicious Prompt Protection: 🟥️ LLMs should be able to identify and protect against the behaviors required by injected mnemonics in the context of malicious prompts.
Secure Invocation: 🟥️ LLMs should be able to invoke related MCP functions correctly and securely.
Sensitive Information Protection: 🟥️ Prevent sensitive information from being leaked.

Multimodal Security

Multimodal Content Filtering: 🟥️ Filter harmful or sensitive information in multimodal content (such as malicious prompts in images).

Multi-MCP Scenario Security

When multiple MCP servers are enabled at the same time, users may install malicious MCPs due to a lack of official audits, which poses a threat to overall security.

Multi-MCP Environment Security: 🟥️ Ensure the overall security of multi-MCP environments, and regularly scan and inspect installed MCPs.
Function Priority Hijacking Protection: 🟥️ Check for possible malicious prompt presets to prevent function priority from being maliciously hijacked.
Cross-MCP Function Call Control: 🟥️ Safely control cross-MCP function calls to prevent malicious MCPs from returning malicious prompts to call other MCPs to perform sensitive operations.

Cryptocurrency-related MCPs typically have the ability to manage cryptocurrency wallets, which is a high-risk area.

Private Key Protection: 🟥️ Strengthen security measures for private keys, such as Scrypt.
Wallet Generation Security: 🟥️ Security guarantees for the mnemonic or wallet generation process.
Wallet Information Privacy: 🟥️ Protect the privacy of wallet information and properly filter wallet information when requesting third-party interfaces.
Transfer Information Confirmation: 🟥️ The information on the chain or exchange transfer signature needs to be fully displayed and confirmed.
Fund Operation Verification: 🟥️ Secondary verification is required for important fund operations, such as Google Authenticator.
Local Model Privacy Protection: 🔶 Use local large models to protect privacy data and prevent third-party large model vendors from obtaining sensitive information such as your wallet information.
Traditional Wallet Compatibility: 🔶 Secure compatibility with traditional wallets, such as supporting signature operations with traditional wallets.

updated at 2025-04-16

# AI # LLM # Agent