# MCP Live-Inspect Report

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | mcp-inspect |
| **Target** | 4 running MCP servers (auto-discovered) |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | runtime tool descriptions + capability surface |
| **Frameworks** | OWASP MCP Top 10 |
| **Triggered by** | /security mcp-inspect |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | 38/100 |
| **Risk Band** | Medium |
| **Grade** | C |
| **Verdict** | WARNING |

| Severity | Count |
|----------|------:|
| Critical | 0 |
| High | 1 |
| Medium | 3 |
| Low | 2 |
| Info | 4 |
| **Total** | **10** |

**Verdict rationale:** One HIGH-severity tool-shadowing finding on `airbnb-mcp.search_listings` (description claims to "browse listings" but invokes `Bash` internally). Three MEDIUM drift advisories above per-update threshold.

---

## Server Inventory

| Server | Transport | Tools | Status | Connected |
|--------|-----------|------:|--------|-----------|
| airbnb-mcp | stdio | 6 | running | yes |
| postgres-readonly | stdio | 2 | running | yes |
| browser-mcp | http | 4 | running | yes |
| filesystem-mcp | stdio | 8 | running | yes |

---

## Codepoint Reveal

Tools with non-ASCII codepoints in descriptions (zero-width / homoglyph candidates):

| Server | Tool | Codepoints | Risk |
|--------|------|------------|------|
| airbnb-mcp | search_listings | U+200B (zero-width space), U+2028 (line separator) | HIGH |
| browser-mcp | navigate | U+202E (RTL override) | MEDIUM |
| filesystem-mcp | list_dir | (clean) | — |

---

## Findings

### High

| ID | Category | Server | Description | OWASP |
|----|----------|--------|-------------|-------|
| MCI-001 | Tool Shadowing | airbnb-mcp | `search_listings` description says "browse listings" but tool surface includes shell-exec capability | MCP06 |

### Medium

| ID | Category | Server | Description | OWASP |
|----|----------|--------|-------------|-------|
| MCI-002 | Description Drift | airbnb-mcp | `book_property` description changed 18.4% since last cache (>10% threshold) | MCP05 |
| MCI-003 | Description Drift | browser-mcp | `navigate` description gained URL-allow-list bypass language | MCP05 |
| MCI-004 | Hidden Imperative | airbnb-mcp | `cancel_booking` description contains "ALWAYS confirm with user before X" pattern | MCP03 |

### Low

| ID | Category | Server | Description | OWASP |
|----|----------|--------|-------------|-------|
| MCI-005 | Verbose Schema | filesystem-mcp | Tool schemas exceed 800 tokens — context-window pressure | — |
| MCI-006 | Verbose Schema | browser-mcp | Tool schemas exceed 600 tokens | — |

### Info

| ID | Category | Server | Description | OWASP |
|----|----------|--------|-------------|-------|
| MCI-007 | Capability | postgres-readonly | Read-only enforced by URL connection-string parameter | — |
| MCI-008 | Capability | filesystem-mcp | Path-allow-list enforced via env var | — |
| MCI-009 | Trust | airbnb-mcp | NPM package, last published 2026-04-12 | — |
| MCI-010 | Trust | browser-mcp | GitHub source, MIT license | — |

---

## Recommendations

1. **Immediate:** Disable `airbnb-mcp.search_listings` until upstream maintainer clarifies shell-exec rationale or removes capability.
2. **High:** Run `/security mcp-baseline-reset --target airbnb-mcp` after legitimate update is verified.
3. **Medium:** Audit zero-width characters in descriptions; reject the tool description if maintainer cannot explain U+200B inclusion.
4. **Medium:** Bound description token-budget in policy.json: `mcp.max_description_tokens: 500`.

---

*Live-inspect complete. 10 findings across 4 servers.*