15 comments

[ 3.2 ms ] story [ 42.8 ms ] thread
(comment deleted)
The MCP landscape is a huge frothing septic tank. Go on, try to create a simple MCP server that is protected by a password and connect it to ChatGPT or Claude. Or even the one that uses your local SSO system for authentication.

I tried and failed after about 3 days of dealing with AI-slop-generated nonsense that has _never_ been worked. The MCP spec was created probably by brainless AI agents, so it defines two authentication methods: no authentication whatsoever, and OAuth that requires bleeding-edge features (dynamic client registration) not implemented by Google or Microsoft.

The easiest way for that right now is to ask users to download a random NodeJS package that runs locally on their machines with minimal confinement.

At Snyk, we've been working on this for a while. Here's our flagship open source project consolidating a lot of the MCP risk factors we've discovered over the last year or so into actionable info: https://github.com/invariantlabs-ai/mcp-scan
(comment deleted)
I have seen a bunch of demos of this, often building on top of open standards like the SAFE-MCP MITRE ATT&CK analysis https://github.com/SAFE-MCP/safe-mcp

In general, the only way to make sure MCPs are safe is to limit which connections are made in an enterprise setting

Agreed. Only provide the servers and tools needed for that job.

It would be silly to provide every employee access to GitHub, regardless of whether they need it. It’s just distracting and unnecessary risk. Yet people are over-provisioning MCPs like you would install apps on a phone.

Principle of least access applies here just as it does anywhere else.

(comment deleted)
Nice to see a scanner for MCP servers. Curious about audit depth: config checks only or live exploit tests and what reporting formats it supports?
Was trying to remember where I had heard this org's name: https://news.ycombinator.com/item?id=42690473

This org has gone to some dubious lengths to make a name for themselves, including submitting backdoored packages to public npm repos which would exfiltrate your data and send to a Synk-controlled C&C. This included the environment, which would be sending them your username along with any envvars like git/aws/etc auth tokens.

This might give them some credibility in this space, maybe they stand a decent chance of scanning MCPs for backdoors based on their own experience in placing malicious code on other people's systems.

(comment deleted)
I love how we now have a class of AI tools that try to catch issues created by other AI tools.
Is this to scan your own MCP servers? Does using someone else's MCP server put you at risk?

I didn't even know want an MCP server was until I noticed the annoying category in VSCode Extensions panel today. Only able to get rid of it by turning off a broad AI related flag in settings (fine by me, wish I knew it was there earlier). An hour later, I'm seeing this.