Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
107 lines
3.6 KiB
Markdown
107 lines
3.6 KiB
Markdown
# MCP Live-Inspect Report
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Report type** | mcp-inspect |
|
|
| **Target** | 4 running MCP servers (auto-discovered) |
|
|
| **Date** | 2026-05-05 |
|
|
| **Version** | llm-security v7.4.0 |
|
|
| **Scope** | runtime tool descriptions + capability surface |
|
|
| **Frameworks** | OWASP MCP Top 10 |
|
|
| **Triggered by** | /security mcp-inspect |
|
|
|
|
---
|
|
|
|
## Risk Dashboard
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Risk Score** | 38/100 |
|
|
| **Risk Band** | Medium |
|
|
| **Grade** | C |
|
|
| **Verdict** | WARNING |
|
|
|
|
| Severity | Count |
|
|
|----------|------:|
|
|
| Critical | 0 |
|
|
| High | 1 |
|
|
| Medium | 3 |
|
|
| Low | 2 |
|
|
| Info | 4 |
|
|
| **Total** | **10** |
|
|
|
|
**Verdict rationale:** One HIGH-severity tool-shadowing finding on `airbnb-mcp.search_listings` (description claims to "browse listings" but invokes `Bash` internally). Three MEDIUM drift advisories above per-update threshold.
|
|
|
|
---
|
|
|
|
## Server Inventory
|
|
|
|
| Server | Transport | Tools | Status | Connected |
|
|
|--------|-----------|------:|--------|-----------|
|
|
| airbnb-mcp | stdio | 6 | running | yes |
|
|
| postgres-readonly | stdio | 2 | running | yes |
|
|
| browser-mcp | http | 4 | running | yes |
|
|
| filesystem-mcp | stdio | 8 | running | yes |
|
|
|
|
---
|
|
|
|
## Codepoint Reveal
|
|
|
|
Tools with non-ASCII codepoints in descriptions (zero-width / homoglyph candidates):
|
|
|
|
| Server | Tool | Codepoints | Risk |
|
|
|--------|------|------------|------|
|
|
| airbnb-mcp | search_listings | U+200B (zero-width space), U+2028 (line separator) | HIGH |
|
|
| browser-mcp | navigate | U+202E (RTL override) | MEDIUM |
|
|
| filesystem-mcp | list_dir | (clean) | — |
|
|
|
|
---
|
|
|
|
## Findings
|
|
|
|
### High
|
|
|
|
| ID | Category | Server | Description | OWASP |
|
|
|----|----------|--------|-------------|-------|
|
|
| MCI-001 | Tool Shadowing | airbnb-mcp | `search_listings` description says "browse listings" but tool surface includes shell-exec capability | MCP06 |
|
|
|
|
### Medium
|
|
|
|
| ID | Category | Server | Description | OWASP |
|
|
|----|----------|--------|-------------|-------|
|
|
| MCI-002 | Description Drift | airbnb-mcp | `book_property` description changed 18.4% since last cache (>10% threshold) | MCP05 |
|
|
| MCI-003 | Description Drift | browser-mcp | `navigate` description gained URL-allow-list bypass language | MCP05 |
|
|
| MCI-004 | Hidden Imperative | airbnb-mcp | `cancel_booking` description contains "ALWAYS confirm with user before X" pattern | MCP03 |
|
|
|
|
### Low
|
|
|
|
| ID | Category | Server | Description | OWASP |
|
|
|----|----------|--------|-------------|-------|
|
|
| MCI-005 | Verbose Schema | filesystem-mcp | Tool schemas exceed 800 tokens — context-window pressure | — |
|
|
| MCI-006 | Verbose Schema | browser-mcp | Tool schemas exceed 600 tokens | — |
|
|
|
|
### Info
|
|
|
|
| ID | Category | Server | Description | OWASP |
|
|
|----|----------|--------|-------------|-------|
|
|
| MCI-007 | Capability | postgres-readonly | Read-only enforced by URL connection-string parameter | — |
|
|
| MCI-008 | Capability | filesystem-mcp | Path-allow-list enforced via env var | — |
|
|
| MCI-009 | Trust | airbnb-mcp | NPM package, last published 2026-04-12 | — |
|
|
| MCI-010 | Trust | browser-mcp | GitHub source, MIT license | — |
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
1. **Immediate:** Disable `airbnb-mcp.search_listings` until upstream maintainer clarifies shell-exec rationale or removes capability.
|
|
2. **High:** Run `/security mcp-baseline-reset --target airbnb-mcp` after legitimate update is verified.
|
|
3. **Medium:** Audit zero-width characters in descriptions; reject the tool description if maintainer cannot explain U+200B inclusion.
|
|
4. **Medium:** Bound description token-budget in policy.json: `mcp.max_description_tokens: 500`.
|
|
|
|
---
|
|
|
|
*Live-inspect complete. 10 findings across 4 servers.*
|