# MCP Security Audit Report

<!--
TEMPLATE USAGE
This is the output template for `/security mcp-audit`.
The mcp-scanner-agent uses this as a formatting guide — fill every section with real findings
from the 5-phase MCP analysis. Do NOT output placeholder text.
If no servers are found, state "No MCP servers configured" and skip per-server sections.
-->

---

## Header

| Field | Value |
|-------|-------|
| **Audit scope** | [List of MCP config files examined — e.g. `.mcp.json`, `~/.claude/settings.json`] |
| **Servers found** | [count] |
| **Audit date** | [ISO 8601 — e.g. 2026-02-19] |
| **Auditor** | llm-security v[X.X] — mcp-scanner-agent |
| **Analysis phases** | Tool descriptions, Source code, Dependencies, Configuration, Rug pull detection |

---

## MCP Landscape Summary

| Server | Source | Transport | Trust Rating | Critical | High | Medium | Low |
|--------|--------|-----------|--------------|----------|------|--------|-----|
| `[server-name]` | [local path / npx package / remote URL] | stdio / sse | [Trusted/Cautious/Untrusted/Dangerous] | [n] | [n] | [n] | [n] |

**Overall MCP Risk:** [Low / Medium / High / Critical]

---

## Per-Server Analysis

### Server: `[server-name]`

| Field | Value |
|-------|-------|
| **Transport** | stdio / sse |
| **Command/URL** | `[command and args, or URL]` |
| **Source** | `[resolved path or "remote package"]` |
| **Trust Rating** | [Trusted / Cautious / Untrusted / Dangerous] |

**Findings:**

| # | Severity | Category | Description | OWASP Ref |
|---|----------|----------|-------------|-----------|
| 1 | [Critical/High/Medium/Low] | [Category name] | [Finding description] | [LLM0X or ASI0X] |

**Evidence:**

```
[Exact code or config excerpt — file:line reference. Redact actual secret values.]
```

**Recommendations:**
- [Specific, actionable fix per finding]

---

[Repeat per-server section for each server discovered]

---

## Overall MCP Risk Assessment

**Risk Rating: [Low / Medium / High / Critical]**

| Criterion | Description |
|-----------|-------------|
| **Low** | All servers Trusted or Cautious, no High+ findings |
| **Medium** | One or more Cautious servers with High findings |
| **High** | One or more Untrusted servers |
| **Critical** | Any server rated Dangerous |

---

## Recommendations

### Keep (no action required)

- **`[server-name]`** — Trusted, [n] Low findings only. [Brief positive note.]

### Review before next session

- **`[server-name]`** — [Cautious/Untrusted], [specific concern to investigate]

### Remove or disable immediately

- **`[server-name]`** — Dangerous: [one-line critical finding summary]

> If all servers are Trusted with no High+ findings, write: "All MCP servers passed trust verification. No action required."

---

## Footer

| Field | Value |
|-------|-------|
| llm-security version | [e.g. 0.1.0] |
| Assessment engine | mcp-scanner-agent (5-phase analysis) |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Config files scanned | [comma-separated list of files read] |
| Report generated | [ISO 8601 timestamp] |

---

<!--
TRUST RATING CRITERIA (for agents filling in this template)

Assign one trust rating per server based on the highest-severity finding:

  Trusted   — No findings above Low, all behavior matches declared purpose
  Cautious  — Medium findings present, minor scope excess, no active threats
  Untrusted — High findings, undisclosed network access, or questionable dependencies
  Dangerous — Critical findings: tool poisoning, active exfiltration, rug pull mechanisms

OVERALL RISK AGGREGATION

The overall MCP risk rating is determined by the worst-case server:

  Low      — All servers Trusted or Cautious with no High+ findings
  Medium   — At least one Cautious server with High findings
  High     — At least one Untrusted server
  Critical — Any server rated Dangerous

SEVERITY CLASSIFICATION

  Critical — Active threat, immediate exploitation risk (hidden LLM directives in tool
             descriptions, active data exfiltration, credential harvesting, config
             self-modification, rug pull time-bombs)
  High     — Significant risk, exploitation likely without mitigation (path traversal
             without sanitization, rug pull mechanisms, known CVEs in direct dependencies,
             undisclosed network calls to external services)
  Medium   — Meaningful risk, requires attention (excessive permissions vs. stated purpose,
             missing input validation, remote feature flags without disclosure, plaintext
             tokens in config)
  Low      — Informational or best-practice gap (unlocked dependency versions, missing
             README documentation, overly broad but not harmful env var access)

ANALYSIS PHASES

The mcp-scanner-agent runs 5 phases per server:
  Phase 1 — Tool description analysis (hidden directives, excessive length, unicode)
  Phase 2 — Source code analysis (code execution, network calls, filesystem, credentials)
  Phase 3 — Dependency analysis (npm/pip audit, postinstall scripts, typosquatting)
  Phase 4 — Configuration analysis (permissions vs. stated purpose, auth config)
  Phase 5 — Rug pull detection (dynamic metadata, self-modification, remote flags)

RECOMMENDATIONS SORTING
  Group servers into exactly 3 tiers: Keep / Review / Remove.
  Empty tiers should be omitted entirely.
  Within each tier, sort alphabetically by server name.
-->