# MCP Config Audit

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | mcp-audit |
| **Target** | ~/.claude/.mcp.json + per-project configs |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | 5 MCP servers (3 active, 2 dormant) |
| **Frameworks** | OWASP MCP |
| **Triggered by** | /security mcp-audit |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | 33/100 |
| **Risk Band** | Medium |
| **Grade** | C |
| **Verdict** | WARNING |

| Severity | Count |
|----------|------:|
| Critical | 0 |
| High | 2 |
| Medium | 6 |
| Low | 3 |
| Info | 4 |
| **Total** | **15** |

**Verdict rationale:** No critical findings. Two high findings: airbnb-mcp tool description drift (per-update + cumulative) and tavily-mcp grants `process.env` read which is unjustified for search use case.

---

## MCP Landscape

| Server | Type | Trust | Tools | Active |
|--------|------|-------|-------|-------:|
| airbnb-mcp | local-stdio | medium | 4 | yes |
| tavily-mcp | http-sse | low | 6 | yes |
| microsoft-learn | http-sse | high | 3 | yes |
| gemini-mcp | local-stdio | high | 4 | dormant |
| mermaid-chart | http-sse | medium | 17 | dormant |

---

## Per-Server Analysis

### airbnb-mcp

- **Path:** `~/.claude/mcp-servers/airbnb-mcp/`
- **Origin:** GitHub (airbnb-example, MIT)
- **Tool description drift:** per-update 12.3% (alert), cumulative 27% from baseline (advisory)
- **Permissions:** Bash, WebFetch, Read
- **Verdict:** WARNING — drift indicates possible upgrade or rug-pull. Investigate before reset.

### tavily-mcp

- **Path:** remote (HTTP-SSE)
- **Origin:** tavily.ai
- **Tool description drift:** none
- **Permissions:** WebFetch, env-vars (TAVILY_API_KEY)
- **Verdict:** WARNING — env-var read scope is broader than needed. Confirm only TAVILY_API_KEY is exposed.

### microsoft-learn

- **Path:** remote (HTTP-SSE)
- **Origin:** Microsoft
- **Tool description drift:** none
- **Permissions:** WebFetch
- **Verdict:** ALLOW — minimal surface, well-scoped.

### gemini-mcp (dormant)

- **Path:** `~/.claude/mcp-servers/gemini-mcp/`
- **Origin:** local-built
- **Verdict:** N/A (dormant)

### mermaid-chart (dormant)

- **Path:** remote (HTTP-SSE)
- **Verdict:** N/A (dormant)

---

## MCP Risk Assessment

3 active servers, 17 total tools across active set. Risk concentration: airbnb-mcp (description drift) + tavily-mcp (env-var scope). One server (microsoft-learn) is well-scoped baseline.

---

## Keep / Review / Remove

| Decision | Server | Reason |
|----------|--------|--------|
| Keep | microsoft-learn | Well-scoped, official source |
| Keep | gemini-mcp | Dormant but trusted, retain |
| Review | airbnb-mcp | Description drift requires investigation |
| Review | tavily-mcp | Env-var scope overly broad |
| Remove | mermaid-chart | Dormant 87 days, no usage |

---

## Findings

### High

| ID | Server | Description | OWASP |
|----|--------|-------------|-------|
| MA-001 | airbnb-mcp | Cumulative drift 27% from baseline (sticky) | MCP05 |
| MA-002 | tavily-mcp | env-var read includes more than declared keys | MCP06 |

### Medium

| ID | Server | Description | OWASP |
|----|--------|-------------|-------|
| MA-003 | airbnb-mcp | Per-update drift 12.3% on `book` tool | MCP05 |
| MA-004 | airbnb-mcp | Tool `book` returns large payloads without size cap | MCP09 |
| MA-005 | tavily-mcp | TLS cert pinning not enforced | MCP08 |
| MA-006 | mermaid-chart | Dormant > 90 days, suggest removal | — |
| MA-007 | airbnb-mcp | Description includes implicit instruction | MCP05 |
| MA-008 | tavily-mcp | Rate-limit not configured client-side | MCP09 |

### Low / Info

(7 lower-severity findings — see envelope)

---

## Recommendations

1. **High:** Run `/security mcp-baseline-reset --target airbnb-mcp` only AFTER manual review of new description.
2. **High:** Restrict `tavily-mcp` env-var scope to `TAVILY_API_KEY` exclusively (settings.local.json).
3. **Medium:** Remove dormant `mermaid-chart` server unless re-activated within 14 days.
4. **Medium:** Add response-size caps for `airbnb-mcp` `book` tool.

---

*MCP-audit complete. 5 servers, 15 findings, verdict WARNING.*