CraftedTrust
Independent Security Research

MCP Security Research

Independent vulnerability research for the AI agent ecosystem. Discovered by CraftedTrust Touchstone.

Published Advisories Security Checks Reference
--
Servers Assessed
--
Vulnerabilities Found
--
CVEs Published
50+
Checks Across 7 Domains

Published Advisories

Subscribe via RSS

No advisories published yet. Active research is underway.

Advisories will appear here as vulnerabilities complete the coordinated disclosure process.

The Touchstone 7-Domain Assessment Model

Full Check Reference
Authentication & Authorization 9 checks

OAuth 2.1 implementation, PKCE enforcement, token storage, HTTPS enforcement, scope analysis, session management, RFC 8707 compliance.
Tool Security 10 checks

Prompt injection in tool schemas, parameter poisoning, obfuscated payloads, tool shadowing, rug pull detection, dangerous capability combinations.
Input Validation 9 checks

SSRF via tool parameters, cloud metadata endpoint access, command injection, SQL injection, path traversal, URL scheme validation.
Data Security 6 checks

Credential patterns in schemas, PII exposure, secrets in error messages, sensitive data in URL parameters, cross-server data leakage.
Supply Chain 8 checks

npm provenance verification, known CVE matching, typosquat detection, maintainer reputation, source repo verification, abandonment detection.
Infrastructure 8 checks

Network binding audit, TLS enforcement, rate limiting, CORS configuration, error handling, security headers, DNS rebinding protection.
Runtime 5 checks

Guardrail bypass patterns, response size limits, timeout enforcement, concurrent request handling, kill switch presence.