Risk
Unvetted MCP Server Definitions
Description
Project-scoped MCP servers (e.g., .cursor/mcp.json, claude_desktop_config.json) and similar agent integration manifests are committed without security review, creating tool description poisoning and command injection surfaces.
Example
A community MCP server with a poisoned tool description is added to a project's .cursor/mcp.json; every developer who clones the repo receives the malicious tool.
Assets Affected
MCP Server
Agent Config
Tool
Agents Plugins
Mitigation
- Require security review for project-scoped MCP installs
- sign and pin MCP server versions
- scan MCP definitions for hidden Unicode
- restrict to allowlisted servers
- alert on new MCP additions in repos.
Standards Mapping
- ISO: A.10.3, A.4.4
- OWASP agentic: ASI04, ASI02
- OWASP LLM: LLM03:2025
- EU AI Act: Art. 25, Art. 15(5)
- DASF: Agents-MCP Server 13.18, Agents-MCP Server 13.21
- AIUC-1: E006, B006