open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/mcp-inspect.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

3.6 KiB
Raw Blame History

MCP Live-Inspect Report

Header

Field Value
Report type mcp-inspect
Target 4 running MCP servers (auto-discovered)
Date 2026-05-05
Version llm-security v7.4.0
Scope runtime tool descriptions + capability surface
Frameworks OWASP MCP Top 10
Triggered by /security mcp-inspect

Risk Dashboard

Metric Value
Risk Score 38/100
Risk Band Medium
Grade C
Verdict WARNING
Severity Count
Critical 0
High 1
Medium 3
Low 2
Info 4
Total 10

Verdict rationale: One HIGH-severity tool-shadowing finding on airbnb-mcp.search_listings (description claims to "browse listings" but invokes Bash internally). Three MEDIUM drift advisories above per-update threshold.

Server Inventory

Server Transport Tools Status Connected
airbnb-mcp stdio 6 running yes
postgres-readonly stdio 2 running yes
browser-mcp http 4 running yes
filesystem-mcp stdio 8 running yes

Codepoint Reveal

Tools with non-ASCII codepoints in descriptions (zero-width / homoglyph candidates):

Server Tool Codepoints Risk
airbnb-mcp search_listings U+200B (zero-width space), U+2028 (line separator) HIGH
browser-mcp navigate U+202E (RTL override) MEDIUM
filesystem-mcp list_dir (clean)

Findings

High

ID Category Server Description OWASP
MCI-001 Tool Shadowing airbnb-mcp search_listings description says "browse listings" but tool surface includes shell-exec capability MCP06

Medium

ID Category Server Description OWASP
MCI-002 Description Drift airbnb-mcp book_property description changed 18.4% since last cache (>10% threshold) MCP05
MCI-003 Description Drift browser-mcp navigate description gained URL-allow-list bypass language MCP05
MCI-004 Hidden Imperative airbnb-mcp cancel_booking description contains "ALWAYS confirm with user before X" pattern MCP03

Low

ID Category Server Description OWASP
MCI-005 Verbose Schema filesystem-mcp Tool schemas exceed 800 tokens — context-window pressure
MCI-006 Verbose Schema browser-mcp Tool schemas exceed 600 tokens

Info

ID Category Server Description OWASP
MCI-007 Capability postgres-readonly Read-only enforced by URL connection-string parameter
MCI-008 Capability filesystem-mcp Path-allow-list enforced via env var
MCI-009 Trust airbnb-mcp NPM package, last published 2026-04-12
MCI-010 Trust browser-mcp GitHub source, MIT license

Recommendations

  1. Immediate: Disable airbnb-mcp.search_listings until upstream maintainer clarifies shell-exec rationale or removes capability.
  2. High: Run /security mcp-baseline-reset --target airbnb-mcp after legitimate update is verified.
  3. Medium: Audit zero-width characters in descriptions; reject the tool description if maintainer cannot explain U+200B inclusion.
  4. Medium: Bound description token-budget in policy.json: mcp.max_description_tokens: 500.

Live-inspect complete. 10 findings across 4 servers.