SAIL 2.0

/

Build - AI Security Posture Management

/

Unvetted MCP Server Definitions

3.17

.

Unvetted MCP Server Definitions

sail
3.17
Risk

Unvetted MCP Server Definitions

Description

Project-scoped MCP servers (e.g., .cursor/mcp.json, claude_desktop_config.json) and similar agent integration manifests are committed without security review, creating tool description poisoning and command injection surfaces.

Example

A community MCP server with a poisoned tool description is added to a project's .cursor/mcp.json; every developer who clones the repo receives the malicious tool.

Assets Affected

MCP Server

Agent Config

Tool

Agents Plugins

Mitigation
  • Require security review for project-scoped MCP installs
  • sign and pin MCP server versions
  • scan MCP definitions for hidden Unicode
  • restrict to allowlisted servers
  • alert on new MCP additions in repos.
Standards Mapping
  • ISO: A.10.3, A.4.4
  • OWASP agentic: ASI04, ASI02
  • OWASP LLM: LLM03:2025
  • EU AI Act: Art. 25, Art. 15(5)
  • DASF: Agents-MCP Server 13.18, Agents-MCP Server 13.21
  • AIUC-1: E006, B006