mcp-recon: A Reconnaissance Scanner for MCP Servers
An open-source CLI that fingerprints Model Context Protocol servers and flags behavior patterns associated with publicly disclosed vulnerability classes. Think nmap for MCP.
Mcp
Zomato MCP: OAuth Scope Parameter Silently Rewritten, Not Enforced
The OAuth server fronting Zomato's MCP endpoint rewrites the scope request and issues tokens labeled 'offline openid' that nonetheless call every MCP tool, including checkout_cart. The advertised mcp:tools / mcp:resources / mcp:prompts scopes are never enforced at the application layer.
Research Paper: Trust Boundary Failures in AI Coding Agents
Empirical analysis of MCP configuration attacks in Claude Code with enterprise defensive architecture recommendations.
Claude Code Finding 3: MCP Tool Confirmation Prompt Misrepresentation Enables Arbitrary Code Execution
A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve a file read while the server silently executes system commands.
Claude Code Finding 2: MCP Blanket Trust Escalation via enableAllProjectMcpServers
How the 'Use this and all future MCP servers' option grants permanent, unbounded trust to arbitrary MCP server definitions added after the initial consent.
Claude Code Finding 1: Silent Command Execution via .mcp.json Trust Model
How a one-time trust decision in Claude Code enables silent arbitrary command execution when .mcp.json is modified after initial approval.