This document provides a security assessment of the MCP Audit tool, including dependency analysis, privacy considerations, and threat modeling.

Total direct dependencies: 2

1. Minimal dependency tree - Both packages have few transitive dependencies
2. No network access - Neither package makes network requests
3. No file writes - Neither package writes to the filesystem (Rich only outputs to terminal)
4. No code execution - Neither package executes arbitrary code
5. Well-maintained - Both have active maintainers and security practices

The web app has zero external dependencies. It uses:

• Vanilla JavaScript
• Fetch API (built into browsers)
• No npm packages
• No build step required

This is intentional - security tools should minimize their own attack surface.

The CLI tool:

• Reads configuration files (read-only)
• Never writes to scanned directories
• Never transmits data anywhere
• Only outputs to terminal or user-specified file

The web app:

• GitHub token never touches APIsec servers
• All API calls go directly from browser to GitHub
• No analytics or tracking (can be verified by inspecting source)
• No cookies or local storage used

The collector:

• Only collects MCP-specific configuration files
• Does not collect: browser history, credentials, personal files
• Output location is controlled by the deploying organization
• No data transmitted to APIsec

1. MCP configurations - Contains information about AI tool integrations
2. Environment variables - May contain API keys, secrets
3. GitHub access - Token provides repository access

Risk: A dependency could be compromised to exfiltrate data.

Mitigations:

• Only 2 direct dependencies
• Both are well-established, high-profile packages
• Version pinning prevents unexpected updates
• Dependencies have no network access

Residual Risk: Low

Risk: Malicious repository content could inject code via XSS.

Mitigations:

• All user content is escaped before display (escapeHtml() function)
• No use of innerHTML with untrusted content
• No eval() or dynamic code execution
• Content Security Policy recommended for deployment

Residual Risk: Low

Risk: Token could be exposed through logs, errors, or transmission.

Mitigations:

• Token stored only in JavaScript variable (memory)
• Token passed only in Authorization header to GitHub
• No logging of token value
• Token not included in any output/export

Residual Risk: Low

Risk: MDM script could be modified to collect additional data.

Mitigations:

• Script is open source and auditable
• Organizations should review before deployment
• Script only reads specific, documented paths
• No network transmission in script itself

Residual Risk: Medium (depends on org's MDM security)

• Install from trusted source (GitHub releases or PyPI)
• Verify package integrity (checksums if available)
• Review output before sharing (may contain paths, hostnames)
• Run with minimal permissions (no sudo needed)

• Host on HTTPS only
• Add Content Security Policy headers
• Disable directory listing
• Review source code before deployment
• Consider self-hosting for sensitive environments

• Review script before deployment
• Restrict output location access
• Use secure transport for collected files
• Implement file integrity monitoring on output location
• Rotate collection location periodically

1. Report to rajaram@apisec.ai (or create GitHub security advisory)
2. Do not disclose publicly until patch is available
3. We will respond within 48 hours
4. Patches will be released as new versions

1. Rotate any credentials found in MCP configs
2. Review GitHub token permissions and revoke if necessary
3. Check MCP configurations for unexpected changes
4. Report incident to your security team

This security review was performed by the development team. For production use in high-security environments, we recommend:

1. Independent security audit
2. Penetration testing of web app
3. Code review by your security team
4. Deployment in isolated environment first

Last updated: [Date] Reviewed by: APIsec Security Team