Background

This security checklist is written and maintained by @SlowMist_Team.

  • SlowMist Technology, as a global leader in blockchain ecosystem threat intelligence, aims to help the blockchain ecosystem integrate with AI ecosystems to enhance security protection capabilities and ensure higher user privacy.

Thanks to FENZ.AI for their strong support.

  • FENZ.AI is reshaping AI security audits with future technology. From MCP attack detection to AI loyalty assessment, FENZ is building the infrastructure for the AI era - 'Super Intelligence Begins with Super Security'.

Summary

With the rapid development of large models, various new AI tools are constantly emerging, currently represented by

The MCP (Model Context Protocol) standard implementation tools are gradually becoming a key bridge connecting large language models (LLMs) with external tools and data sources. Since its release at the end of 2024, MCP has been widely applied in mainstream AI applications such as Claude Desktop and Cursor, with various stores for MCP Server continuously emerging, showcasing strong ecological expansion capabilities.

However, the rapid proliferation of MCP also brings new security challenges. The current MCP architecture consists of three parts: Host (locally running AI application environment), Client (responsible for communication with the Server and tool invocation), and Server (the service corresponding to MCP plugins). Users interact with AI through the Host, and the Client parses and forwards user requests to the MCP Server, executing tool calls or accessing resources. In scenarios with multiple instances and components working together, this architecture exposes a series of security risks, especially in sensitive scenarios involving cryptocurrency transactions or LLM custom plugin adaptation, where risks are more pronounced and require appropriate security measures for management.

In this context, it is particularly important to develop and adhere to a comprehensive MCP security checklist. This checklist covers security key points from user interfaces, client components, service plugins, to multi-MCP collaboration mechanisms and specific domains (such as cryptocurrency scenarios), aiming to help developers systematically identify potential risks and prevent them in a timely manner. By implementing these security measures, the overall stability and controllability of the MCP system can be effectively enhanced, ensuring that while AI applications develop rapidly, their security is also guaranteed.

(Illustration of MCP multi-component interaction process and key risk points)

How to Use

This checklist is based on potential risk points encountered during our audits of MCP projects, aiming to help developers ensure the security of MCP implementations. We use three levels of priority to indicate the importance of items:

🟢️ Indicates recommended items but can be omitted in specific circumstances.

🔶 Indicates highly recommended items, but can be omitted in special circumstances; omission may negatively impact security.

🟥️ Indicates items that cannot be omitted under any circumstances; removing these elements may lead to system failures or security vulnerabilities.

MCP Server (MCP Plugin) Security

Note: MCP services are external services that provide tools, resources, and functions for AI invocation, representing the current form of MCP plugins. Typically includes Resources, Tools, Prompts.

API Security

1. Input Validation: 🟥️ Strictly validate all API inputs to prevent injection attacks and illegal parameters.

2. API Rate Limiting: 🔶 Implement API call rate limits to prevent abuse and attacks.

3. Output Encoding: 🔶 Properly encode API outputs.

Server Authentication and Authorization

1. Access Control: 🟥️ Implement role-based access control to limit resource access and enforce the principle of least privilege.

2. Credential Management: 🟥️ Securely manage and store service credentials, avoid hardcoding, and use key management services.

3. External Service Authentication: 🟥️ Authenticate to third-party services in a secure manner.

4. Least Privilege: 🔶 Service processes run with the least necessary privileges to reduce potential attack surfaces and privilege escalation risks.

5. API Key Rotation: 🔶 Regularly and automatically rotate API keys and service credentials, limiting key validity periods.

6. Service Authentication: 🔶 Provide a mechanism for Tools to verify service identities, facilitating client verification and secure usage.

Background Persistence Control

1. Lifecycle Management: 🟥️ Implement strict MCP plugin lifecycle management, synchronized with the client.

2. Shutdown Cleanup: 🟥️ Force cleanup of all MCP background processes when the client shuts down.

3. Health Check Mechanism: 🔶 Regularly check the status of MCP plugins to identify persistent anomalies.

4. Background Activity Monitoring: 🔶 Monitor and log all MCP background activities.

5. Activity Restrictions: 🔶 Limit the types and durations of operations that MCP plugins can perform in the background.

Deployment and Runtime Security

1. Isolated Environment: 🟥️ Services run in an isolated environment (container, VM, sandbox) to prevent escape and lateral movement attacks.

2. Container Security: 🟥️ Use hardened container security configurations and run as non-root users, implementing immutable infrastructure and runtime protection.

3. Secure Boot: 🔶 Verify the integrity of the service startup process and implement a secure boot chain and integrity checks.

4. Environment Variable Security: 🔶 Sensitive environment variables are protected and not leaked in logs.

5. Resource Limitations: 🔶 Implement resource usage limitations to prevent large models from making excessive repetitive calls in case of errors.

Code and Data Integrity

1. Integrity Verification Mechanism: 🟥️ Use mechanisms like digital signatures and hash checks to ensure that code has not been tampered with.

2. Remote Validation: 🔶 Support mechanisms for remote validation of code integrity.

3. Code Obfuscation and Hardening: 🟢️ Apply code obfuscation and hardening techniques to increase difficulty of reverse engineering.

Supply Chain Security

1. Dependency Management: 🟥️ Securely manage third-party dependencies.

2. Package Integrity: 🟥️ Verify the integrity and authenticity of packages.

3. Source Verification: 🔶 Verify the source of all code and dependencies.

4. Secure Build: 🔶 Ensure that the build process is secure.

Monitoring and Logging

1. Anomaly Detection: 🟥️ Detect and report anomalous activity patterns.

2. Detailed Logging: 🟥️ Log all service activities and security events.

3. Security Event Alerts: 🟥️ Configure real-time alerts for critical security events.

4. Centralized Log Management: 🔶 Centralize the collection and analysis of logs.

5. Log Integrity: 🔶 Ensure log integrity to prevent tampering.

6. Auditing Capability: 🔶 Support detailed auditing and event investigation.

Invocation Environment Isolation

1. MCP Isolation: 🟥️ Ensure operational isolation between multiple MCP services.

2. Resource Access Control: 🟥️ Assign clear resource access permission boundaries for each MCP service.

3. Tool Permission Separation: 🔶 Use different permission sets for tools in different domains.

Platform Compatibility and Security

1. System Resource Isolation: 🟥️ Implement appropriate resource isolation strategies based on different operating system characteristics.

2. Cross-platform Compatibility Testing: 🔶 Test the security behavior consistency of MCP services across different operating systems and clients.

3. Platform-specific Risk Assessment: 🔶 Assess unique security risks and mitigation measures for specific platforms.

4. Client Differential Handling: 🔶 Ensure that security controls can adapt to differences in various client implementations.

Data Security and Privacy

1. Data Minimization: 🟥️ Only collect and process necessary data.

2. Data Encryption: 🟥️ Encrypt sensitive data in storage and transmission.

3. Data Isolation: 🟥️ Effectively isolate data from different users.

4. Data Access Control: 🟥️ Implement strict data access control.

5. Sensitive Data Identification: 🟥️ Automatically identify and specially handle sensitive data.

Resource Security

1. Resource Access Control: 🟥️ Implement fine-grained resource access control.

2. Resource Limitations: 🔶 Limit the size and quantity of individual resources.

3. Resource Template Security: 🔶 Ensure that resource template parameters are validated and sanitized.

4. Sensitive Resource Tagging: 🔶 Tag and specially handle sensitive resources.

Tool Implementation Security

1. Secure Coding Practices: 🟥️ Follow secure coding standards and best practices.

2. Tool Isolation: 🟥️ Tool execution occurs in controlled environments to prevent system-level impact.

3. Input Validation: 🟥️ Strictly validate all inputs from clients.

4. Tool Permission Control: 🟥️ Each tool only has the minimum permissions required to complete the task.

5. Data Validation: 🟥️ Validate data processed by tools to prevent injection and tampering.

6. Tool Behavior Constraints: 🟥️ Limit the range and types of operations that tools can execute.

7. Third-party Interface Return Information Security: 🟥️ Verify that returned information from interfaces meets expectations and do not directly insert returned information into context.

8. Error Handling: 🔶 Securely handle errors without disclosing sensitive information.

9. Namespace Isolation: 🔶 Implement strict namespace isolation for different tools.

MCP Client / MCP HOST Security

Note: The Host is the environment running AI applications and the MCP client, serving as the entry point for end users to interact with the AI system, such as Claude Desktop or Cursor. The Client is an internal component of the AI application, responsible for communicating with MCP services, handling context, tool calls, and result display. Generally, the Client is integrated by default within the Host.

User Interaction Security

1. User Interface Security: 🟥️ The user interface clearly displays the scope of AI operations and potential impacts, providing intuitive security indicators.

2. Sensitive Operation Confirmation: 🟥️ High-risk operations (such as file deletion, fund transfers) require explicit user confirmation.

3. Permission Request Transparency: 🟥️ Clearly state the purpose and scope of permission requests to help users make informed decisions and avoid excessive authorization.

4. Operation Visualization: 🔶 Tool calls and data accesses are visible and auditable to users, providing detailed operation logs.

5. Information Transparency: 🔶 Tools should allow users to decide whether to display hidden tags by default, such as <SECRET>. This ensures that what users see is complete and consistent with the actual generated and invoked context, preventing malicious logic from being hidden in tags.

6. Status Feedback: 🔶 Users should clearly understand the MCP operations currently being executed.

AI Control and Monitoring

1. Operation Records: 🟥️ Record all important AI operations and their results.

2. Anomaly Detection: 🔶 Detect anomalies in tool calling patterns or request sequences.

3. Tool Invocation Restrictions: 🔶 Implement frequency and quantity restrictions on tool invocations.

Local Storage Security

1. Credential Secure Storage: 🟥️ Protect important credentials using system keychains or dedicated encrypted storage to prevent unauthorized access.

2. Sensitive Data Isolation: 🔶 Implement data isolation mechanisms to separate and store sensitive user data from regular data.

Application Security

1. Application Integrity: 🟥️ Verify the integrity of applications and MCP plugins to prevent tampering.

2. Update Validation: 🔶 Host application updates should be verified through digital signature verification.

3. Application Sandbox: 🟢️ Run applications in a sandbox environment whenever possible to limit system access.

Client Identity Verification and Authorization

1. Forced Authentication: 🟥️ Enforce authentication before communicating with any important MCP services to prevent anonymous access.

2. OAuth Implementation: 🔶 Properly implement OAuth 2.1 or higher process, following best practices and security standards.

3. State Parameters: 🔶 Implement state parameters for certain web clients to prevent CSRF attacks using unique random values for each request.

MCP Tools and Server Management

1. MCP Tool Verification: 🟥️ Verify the authenticity and integrity of registered tools.

2. Security Updates: 🟥️ The MCP client regularly checks for and applies security updates, verifying that updated tools do not contain malicious descriptions.

3. Function Name Verification: 🟥️ Check for name conflicts and potential malicious overwrites before registering tools.

4. Malicious MCP Detection: 🟥️ Monitor and identify potential malicious behavior patterns of MCPs.

5. MCP Tool Naming Control: 🔶 Use namespaces or unique identifiers to prevent naming conflicts.

6. Service Directory: 🔶 Maintain an authorized directory of trusted MCP services and tools.

7. Conflict Resolution: 🔶 Clear rules exist to resolve conflicts from tools with the same name.

8. Domain Isolation: 🔶 Tools from different domains are isolated from each other to prevent cross-effects.

9. Priority Mechanism: 🔶 Establish clear function priority rules to avoid malicious overwriting.

10. Version Control: 🔶 Implement version control for functions and tools to detect changes.

11. Tool Registration and Deregistration Mechanism: 🔶 Clearly define the process for tool registration and deregistration to prevent security risks from leftover tools.

12. Conflict Detection Mechanism: 🔶 Detect and resolve function and resource conflicts in multi-MCP environments.

13. Tool Classification: 🟢️ Classify tools based on sensitivity and risk levels.

Prompt Security

1. Prompt Injection Defense: 🟥️ Implement multi-layer defense measures to prevent prompt injection attacks, including manual verification of critical executions.

2. Malicious Instruction Detection: 🟥️ Establish mechanisms to detect and block potential malicious user instructions to prevent system manipulation, such as detecting and blocking malicious instructions preloaded during local initialization and hidden harmful instructions from third-party MCP servers.

3. System Prompt Protection: 🟥️ Clearly separate system prompts from user inputs to prevent tampering.

4. Sensitive Data Filtering: 🟥️ Filter sensitive personal data from prompts and context.

5. Context Isolation: 🔶 Ensure that context content from different sources is isolated from each other to prevent context pollution and information leakage.

6. Prompt Template: 🔶 Use secure prompt templates to reduce injection risks.

7. Tool Description Validation: 🔶 Check for potential malicious instructions in tool descriptions.

8. Prompt Consistency Validation: 🔶 Ensure that the same prompt yields predictable consistent results in different environments.

9. Historical Context Management: 🔶 Clearly define the security clearing mechanism for historical context to prevent the risk of information leakage caused by old data accumulation.

Logging and Auditing

1. Client Logging: 🟥️ Log all interactions with MCP services, tool invocations, and authorization activities.

2. Security Event Logging: 🟥️ Log all security-related events, including authorization failures.

3. Anomaly Alerts: 🔶 Detect and alert on anomalous activity patterns.

Server Verification and Communication Security

1. Server Authentication: 🟥️ Verify MCP Server identity to prevent connections to malicious servers and implement certificate pinning.

2. Certificate Validation: 🟥️ Strictly validate TLS certificates for remote Servers to prevent man-in-the-middle attacks and check the integrity of the certificate chain.

3. Communication Encryption: 🟥️ All Client-Server communications use TLS 1.2+ encryption and disable weak cipher suites.

4. Secure Protocol Configuration: 🔶 Configure secure TLS parameters and regularly audit and update encryption algorithms and protocols.

Permission Token Storage and Management

1. Permission Scope Limitation: 🟥️ Strictly limit the permission scope of tokens and implement the principle of least privilege.

Automatic Approval (autoApprove) Control

1. Automatic Approval Limitations: 🟥️ Strictly control the tools and operations that can be automatically approved.

2. Whitelist Management: 🔶 Clearly define a whitelist mechanism for tools that can be automatically approved.

3. Dynamic Risk Assessment: 🔶 Dynamically adjust automatic approval policies based on context.

4. Approval Process Audit: 🔶 Record and audit all automatic approval decisions.

Sampling Security

1. Context Inclusion Control: 🟥️ Strictly control the context range included in sampling requests.

2. Sensitive Data Filtering: 🟥️ Filter sensitive data from sampling requests and responses.

3. Sampling Request Validation: 🔶 Validate all sampling request parameters and content.

4. User Control: 🔶 Ensure that users have clear control over sampling requests and results.

5. Model Preference Security: 🔶 Securely handle model preference information to prevent abuse.

6. Result Validation: 🔶 Validate that the sampling results meet security standards.

MCP Adaptation and Invocation Security on Different LLMs

Note: During practical use, differences in priority and execution logic for MCP calls on various LLM backends can be observed. Therefore, we need to pay attention not only to the implementation of MCP but also to the combination of LLM and MCP.

LLM Security Execution

1. Priority Function Execution: 🟥️ Ensure that LLM can prioritize executing the correct plugin functions.

2. Malicious Prompt Protection: 🟥️ LLM can identify and protect against the behavior requested by injected mnemonic words in malicious scenarios.

3. Secure Invocation: 🟥️ LLM can correctly and securely invoke related MCP functions.

4. Sensitive Information Protection: 🟥️ Prevent leakage of sensitive information.

Multi-modal Security

1. Multi-modal Content Filtering: 🟥️ Filter harmful or sensitive information from multi-modal content (such as malicious prompts in images).

Multi-MCP Scenario Security

Note: Users often enable multiple MCP Servers simultaneously during normal use of MCP. Currently, there is no official store auditing MCP plugins, so users are likely to install malicious MCPs. This poses significant risks to overall usage security.

1. Multi-MCP Environment Security: 🟥️ Ensure the overall security of multi-MCP environments and regularly scan installed MCPs for checks.

2. Function Priority Hijacking Protection: 🟥️ Check for possible malicious prompt word presets to prevent function priorities from being hijacked maliciously.

3. Cross-MCP Function Call Control: 🟥️ Securely control cross-MCP function calls to prevent malicious MCPs from returning malicious prompts to invoke other MCPs for sensitive operations.

Note: Currently, an increasing number of cryptocurrency-related MCPs are emerging, many of which have the functionality to manage high-risk operations such as cryptocurrency wallets. Therefore, here we specifically propose some suggestions for cryptocurrency-related MCPs.

1. Private Key Protection: 🟥️ Strengthen protective measures for private keys, such as Scrypt.

2. Wallet Generation Security: 🟥️ Ensure the security of mnemonic phrases or wallet generation processes.

3. Wallet Information Privacy: 🟥️ Protect the privacy of wallet information and ensure proper filtering when requesting wallet information from third-party interfaces.

4. Transfer Information Confirmation: 🟥️ On-chain or exchange transfer signatures need to be fully displayed and confirmed.

5. Fund Operation Verification: 🟥️ Important fund operations require secondary verification, such as Google Authenticator.

6. Local Model Privacy Protection: 🔶 Use local large models to protect privacy data and prevent third-party large model vendors from acquiring sensitive information such as your wallet information.

7. Traditional Wallet Compatibility: 🔶 Ensure security compatibility with traditional wallets, such as supporting signing operations with traditional wallets.

Conclusion

In an increasingly intelligent future, our daily lives are expected to be more deeply integrated with various AI tools, and our digital assets will face multi-dimensional security challenges. Let us embrace AI together and protect security.

Ps. The document has been synchronized to GitHub (https://github.com/slowmist/MCP-Security-Checklist).

References

[1] [Model Context Protocol (MCP) GitHub](https://github.com/modelcontextprotocol/modelcontextprotocol)

[2] [Hou, X., Zhao, Y., Wang, S., & Wang, H. (2025). Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv preprint arXiv:2503.23278.](https://doi.org/10.48550/arXiv.2503.23278)