47 lines
2 KiB
Markdown
47 lines
2 KiB
Markdown
---
|
|
name: security:mcp-audit
|
|
description: Audit all installed MCP server configurations for security risks, trust verification, and permission analysis
|
|
allowed-tools: Read, Glob, Grep, Agent, Bash
|
|
model: sonnet
|
|
---
|
|
|
|
# /security mcp-audit [--live]
|
|
|
|
Full MCP server security audit — project-level and global. Add `--live` to also connect to running servers and scan live tool descriptions.
|
|
|
|
## Step 0: Parse Flags
|
|
|
|
If `$ARGUMENTS` contains `--live`, strip it and set `run_live_inspection = true`.
|
|
|
|
## Step 1: Discovery
|
|
|
|
Read MCP configs from: `.mcp.json`, `.claude/settings.json`, `claude_desktop_config.json`, `~/.claude/settings.json`, `~/.claude/mcp.json`, `~/.config/claude/mcp.json`.
|
|
|
|
For each server extract: name, transport (stdio/sse), command+args or URL, env var names (redact values), source origin. Report total count.
|
|
|
|
## Step 2: Scan
|
|
|
|
Spawn `subagent_type: "llm-security:mcp-scanner-agent"`, `model: "sonnet"`:
|
|
|
|
> Full MCP audit. Read: \<plugin-root\>/knowledge/mcp-threat-patterns.md
|
|
> Execute all 5 phases per server (tool descriptions, source code, dependencies, config, rug pull detection).
|
|
> Servers: \<discovered server list with name, type, command, source, env vars\>
|
|
> Return per-server trust rating + findings.
|
|
|
|
## Step 3: Report
|
|
|
|
Output: MCP Landscape Summary table (server, source, transport, trust rating, finding counts).
|
|
Overall risk: Low (all trusted) / Medium (cautious+high) / High (untrusted) / Critical (dangerous).
|
|
Group servers: Keep / Review / Remove immediately.
|
|
|
|
## Step 4: Live Inspection (only if `--live`)
|
|
|
|
Run: `node <plugin-root>/scanners/mcp-live-inspect.mjs "<cwd>"`
|
|
|
|
Parse JSON output. Append a **Live Inspection Results** section:
|
|
|
|
- Contact status per server (contacted / timed-out / skipped / failed)
|
|
- Live injection findings (sorted critical → info)
|
|
- Tool shadowing across servers
|
|
|
|
**Cross-reference escalation:** If a server was rated "Untrusted" or "Dangerous" in Step 2 AND has live injection findings → escalate to CRITICAL priority in the final report and highlight as "Confirmed active threat (static + live)".
|