security: harden MCP server tool path and health check environment#1
Merged
security: harden MCP server tool path and health check environment#1
Conversation
- Add trust score gate to MCP server handleInstall (rejects servers
below score 50 by default). Unlike the CLI which has a human
confirmation prompt, the MCP tool path is driven by AI agents with
no human in the loop — a malicious prompt could trick an agent into
installing a dangerous server.
- Sanitize environment variables passed to health check subprocesses.
Strip known sensitive vars (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN,
ANTHROPIC_API_KEY, etc.) from process.env before spawning untrusted
MCP servers during verification. Server-declared env vars (user-
provided during install) are preserved.
- Add server name validation at the MCP tool boundary. AI agents
provide name strings that could be influenced by prompt injection;
validate format (namespace/name, alphanumeric) before processing.
- Fix --force flag: addServer adapter now accepts { force: true } to
allow overwriting existing entries. Previously --force skipped the
pre-check but the adapter independently rejected duplicates.
All 697 tests pass.
https://claude.ai/code/session_01SZPPoWcw88dcxYmgfavG6X
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add trust score gate to MCP server handleInstall (rejects servers
below score 50 by default). Unlike the CLI which has a human
confirmation prompt, the MCP tool path is driven by AI agents with
no human in the loop — a malicious prompt could trick an agent into
installing a dangerous server.
Sanitize environment variables passed to health check subprocesses.
Strip known sensitive vars (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN,
ANTHROPIC_API_KEY, etc.) from process.env before spawning untrusted
MCP servers during verification. Server-declared env vars (user-
provided during install) are preserved.
Add server name validation at the MCP tool boundary. AI agents
provide name strings that could be influenced by prompt injection;
validate format (namespace/name, alphanumeric) before processing.
Fix --force flag: addServer adapter now accepts { force: true } to
allow overwriting existing entries. Previously --force skipped the
pre-check but the adapter independently rejected duplicates.
All 697 tests pass.
https://claude.ai/code/session_01SZPPoWcw88dcxYmgfavG6X