This security checklist was compiled and is maintained by @SlowMist_Team.
SlowMist, a global leader in blockchain ecosystem threat intelligence, aims to enhance security protection and safeguard user privacy during the integration of blockchain and AI ecosystems.
We sincerely thank FENZ.AI for their valuable contributions and support.
FENZ.AI redefines AI security with future-proof auditing. FENZ is the essential infrastructure for the AI era: "Superintelligence starts with super safety."
- Overview
- How to Use
- MCP Server (MCP Plugin) Security
- MCP Client/MCP HOST Security
- MCP Adaptation and Invocation Security on Different LLMs
- Multi-MCP Scenario Security
- Unique Security Points for Cryptocurrency-related MCPs
- References
With the rapid development of large language models (LLMs), a variety of new AI tools have continued to emerge. Among them, tools based on the Model Context Protocol (MCP) standard have become a key bridge connecting LLMs with external tools and data sources. Since its release in late 2024, MCP has been widely adopted in mainstream AI applications such as Claude Desktop and Cursor. Various MCP Server marketplaces have also emerged, demonstrating strong ecosystem scalability.
However, the rapid adoption of MCP has also introduced new security challenges. In the current MCP architecture, the system consists of three main components: the Host (the local environment where the AI application runs), the Client (responsible for communicating with the Server and invoking tools), and the Server (the backend service corresponding to an MCP plugin). Users interact with the AI through the Host, while the Client parses the user's request and forwards it to the MCP Server for tool invocation or resource access. In scenarios involving multiple instances and cross-component collaboration, this architecture exposes a range of security risks—especially in sensitive contexts such as cryptocurrency transactions or custom plugin integration with LLMs—where the potential for exploitation is even higher and requires appropriate security controls.
Against this backdrop, establishing and following a comprehensive MCP Security Checklist becomes critically important. This checklist covers key areas ranging from user interface interaction, client components, and service-side plugins, to multi-MCP collaboration mechanisms and domain-specific scenarios such as cryptocurrency integrations. It is designed to help developers systematically identify and mitigate potential risks. By implementing these security measures, the overall stability and controllability of MCP systems can be significantly enhanced, ensuring that security evolves in parallel with the rapid advancement of AI applications.
Figure: Schematic diagram of MCP multi-component interaction process and key risk points
This checklist is based on possible risk points encountered during our security audits of MCP projects, aiming to help developers ensure the security of MCP implementations. We use three priority levels to denote the importance of each item:
Indicates recommended items that can be omitted in specific contexts.
Indicates strongly recommended items which could be omitted in special cases, but doing so might negatively impact security.
Indicates items that must not be omitted under any circumstances; removing them may lead to system failures or security vulnerabilities.
Note: The MCP Server provides external tools, resources, and functionalities that AI can invoke. This is essentially the MCP plugin form. In general, it contains Resources, Tools, and Prompts.
- Input Validation: Enforce strict validation on all API inputs to prevent injection attacks and invalid parameters.
- API Rate Limiting: Implement call rate limits to prevent abuse or DoS attacks.
- Output Encoding: Properly encode API outputs.
- Access Control: Implement role-based access control, limit resource access, and enforce the principle of least privilege.
- Credential Management: Securely manage and store service credentials; avoid hard-coded secrets and use key management services.
- External Service Authentication: Use secure methods when authenticating with third-party services.
- Least Privilege: Run service processes with the minimum required permissions to reduce the potential attack surface and elevation risks.
- API Key Rotation: Automatically rotate API keys and service credentials periodically, limiting the valid timeframe of keys.
- Service Identity Authentication: Provide a mechanism for Tools to verify the Server’s identity, helping clients to authenticate and use the service securely.
- Lifecycle Management: Implement strict lifecycle management for MCP plugins and coordinate with the client.
- Shutdown Cleanup: Forcefully clean up all MCP background processes when the client is shut down.
- Health Check Mechanism: Regularly check the status of MCP plugins to detect abnormal persistence.
- Background Activity Monitoring: Monitor and log all MCP background activities.
- Activity Restrictions: Limit the operations and their duration that MCP plugins can perform in the background.
- Isolation Environment: Server runs in an isolated environment (container, VM, or sandbox) to prevent escape and mitigate lateral movement attacks.
- Container Security: Adopt hardened container security configurations and run containers as non-root users. Employ immutable infrastructure and runtime protection.
- Secure Boot: Validate service boot processes, implementing secure boot chains and integrity checks.
- Environment Variable Security: Protect sensitive environment variables and ensure they are not exposed in logs.
- Resource Limits: Enforce resource usage limits to prevent infinite loops or excessive calls when a large model malfunctions.
- Integrity Verification Mechanisms: Use digital signatures, checksums, or similar to ensure code has not been tampered with.
- Remote Validation: Support mechanisms for remote verification of code integrity.
- Code Obfuscation & Hardening: Apply code obfuscation and hardening techniques to increase the difficulty of reverse engineering.
- Dependency Management: Securely manage third-party dependencies.
- Package Integrity: Verify the integrity and authenticity of packages.
- Source Verification: Validate the source of all code and dependencies.
- Secure Build: Ensure the build process is secure.
- Anomaly Detection: Detect and report anomalous activity patterns.
- Detailed Logging: Log all service activities and security events.
- Security Event Alerts: Configure real-time alerts for critical security events.
- Centralized Log Management: Collect and analyze logs in a centralized manner.
- Log Integrity: Ensure log integrity to prevent tampering.
- Audit Capability: Provide detailed auditing and incident investigation capabilities.
- Isolation Between MCP Instances: Ensure operational isolation among multiple MCP Servers.
- Resource Access Control: Assign each MCP Server a clearly defined resource access boundary.
- Tool Permission Separation: Use distinct permission sets for tools in different domains.
- System Resource Isolation: Implement suitable resource isolation strategies according to different operating system characteristics.
- Cross-platform Compatibility Testing: Test consistent security behavior of MCP Server across different OS and clients.
- Platform-specific Risk Assessment: Evaluate unique security risks specific to each platform and apply mitigating measures.
- Client-specific Handling: Ensure security controls can adapt to differences among various client implementations.
- Data Minimization: Collect and process only the necessary data.
- Data Encryption: Encrypt sensitive data in storage and transit.
- Data Isolation: Ensure effective isolation of different users’ data.
- Data Access Control: Enforce strict access controls on data.
- Sensitive Data Identification: Automatically identify and handle sensitive data in a specialized manner.
- Resource Access Control: Implement fine-grained access control for resources.
- Resource Limits: Limit the size and quantity of a single resource.
- Resource Template Security: Validate and sanitize template parameters of resources.
- Sensitive Resource Labeling: Label and handle sensitive resources distinctly.
- Secure Coding Practices: Adhere to security coding standards and best practices.
- Tool Isolation: Execute tools in a controlled environment to prevent system-level impact.
- Input Validation: Strictly validate all inputs from clients.
- Tool Permission Control: Each tool should have only the minimum permissions needed to complete its task.
- Data Validation: Validate the data processed by tools to prevent injection or tampering.
- Tool Behavior Constraints: Restrict the range and types of actions a tool can perform.
- Third-party Interface Response Security: Verify that the returned information from interfaces is as expected; do not directly insert the returned data into context.
- Error Handling: Handle errors securely without exposing sensitive information.
- Namespace Isolation: Enforce strict namespace isolation for different tools.
Note: The Host is the environment running the AI application and the MCP client, acting as the terminal where end users interact with AI (e.g., Claude Desktop, Cursor). The Client is a component within the AI application that communicates with the MCP Server, handling context, tool invocation, and result presentation. Typically, the Client is integrated into the Host by default.
- User Interface Security: The UI should clearly display the scope of AI operations and potential impacts, offering an intuitive security indicator.
- Confirmation of Sensitive Operations: High-risk operations (e.g., file deletion, fund transfers) must explicitly require user confirmation.
- Transparency in Permission Requests: Permission requests should explicitly state their purpose and scope so users can make informed decisions and avoid over-authorization.
- Operation Visualization: Tool invocation and data access should be visible and auditable by users, accompanied by detailed operation logs.
- Information Transparency:
Tools should allow users to choose whether to display hidden tags by default, such as<SECRET>. This ensures that the context seen by the user is consistent with what is actually generated and invoked, preventing malicious logic from being embedded within hidden tags. - Status Feedback: Users should be able to clearly understand the current MCP operations in progress.
- Operation Logging: Record all critical AI operations and their results.
- Anomaly Detection: Detect abnormal patterns of tool invocation or request sequences.
- Tool Invocation Limitation: Impose frequency and quantity limits on tool calls.
- Credential Secure Storage: Use a system keychain or dedicated encrypted storage for sensitive credentials to prevent unauthorized access.
- Sensitive Data Isolation: Implement mechanisms to isolate sensitive user data from ordinary data in storage and processing.
- Application Integrity: Validate the integrity of the application and MCP plugins to prevent tampering.
- Update Verification: Verify the digital signatures of Host application updates.
- Application Sandbox: Whenever possible, run the application in a sandbox environment to limit system access.
- Mandatory Authentication: Enforce authentication before communicating with any critical MCP Server, preventing anonymous access.
- OAuth Implementation: Correctly implement OAuth 2.1 or higher, following best practices and security standards.
- State Parameter: For certain web clients, use a state parameter to mitigate CSRF attacks, employing a unique random value for each request.
- MCP Tool Verification: Validate the authenticity and integrity of registered tools.
- Secure Updates: The MCP client should regularly check for and apply security updates, and verify whether the updated tools contain any malicious descriptions.
- Function Name Checking: Check for name conflicts or malicious overwriting before registering any tool.
- Malicious MCP Detection: Monitor and identify potentially malicious MCP behavior.
- MCP Tool Naming Control: Use namespaces or unique identifiers to avoid naming collisions.
- Server Directory: Maintain an authorized directory of trustworthy MCP Servers and tools.
- Conflict Resolution: Establish clear rules to resolve tool name conflicts.
- Domain Isolation: Isolate tools in different domains to prevent cross-impact.
- Priority Mechanism: Set explicit function priority rules to avoid malicious overwriting.
- Version Control: Version functions and tools to detect changes.
- Tool Registration & Deregistration Mechanism: Define clear processes for tool registration and deregistration to prevent leftover tools posing security risks.
- Conflict Detection Mechanism: Detect and resolve function and resource conflicts in multi-MCP environments.
- Tool Classification: Classify tools according to sensitivity and risk level.
- Prompt Injection Defense: Implement layered defense measures to prevent prompt injection attacks, including manual verification for critical executions.
- Malicious Instruction Detection: Establish mechanisms to detect and block potential malicious user instructions, preventing the system from being manipulated. This includes detecting and blocking preloaded malicious prompts during local initialization, as well as identifying harmful instructions embedded in tools provided by third-party MCP servers.
- System Prompt Protection: Clearly separate system prompts from user inputs to prevent tampering.
- Sensitive Data Filtering: Filter out sensitive personal data from prompts and context.
- Context Isolation: Ensure that contexts from different sources remain isolated to prevent contamination or information leakage.
- Prompt Templates: Use secure prompt templates to reduce the risk of injection.
- Tool Description Verification: Check tool descriptions for potential malicious instructions.
- Prompt Consistency Verification: Ensure that identical prompts produce predictable and consistent results across different environments.
- Historical Context Management: Clearly define the mechanism for cleaning up historical context to prevent data buildup and potential information leakage.
- Client Logging: Record all interactions with the MCP Server, tool calls, and authorization activities.
- Security Event Recording: Log all security-related events, including authorization failures.
- Anomaly Alerts: Detect and alert on abnormal activity patterns.
- Server Identity Verification: Verify the identity of the MCP Server to prevent connections to malicious servers; implement certificate pinning if possible.
- Certificate Validation: Strictly validate TLS certificates of remote Servers to prevent Man-in-the-Middle (MitM) attacks and check the integrity of the certificate chain.
- Encrypted Communication: Use TLS 1.2+ to encrypt all Client-Server communications; disable weak cipher suites.
- Secure Protocol Configuration: Configure secure TLS parameters, regularly review, and update encryption algorithms and protocols.
- Permission Scope Limitation: Strictly limit the scope of tokens under the principle of least privilege.
- Auto-approve Restrictions: Carefully control which tools and operations can be auto-approved.
- Whitelist Management: Maintain a whitelist mechanism of tools that can be auto-approved.
- Dynamic Risk Assessment: Dynamically adjust auto-approve policies based on context.
- Approval Process Auditing: Log and audit all auto-approval decisions.
- Context Inclusion Control: Strictly control the scope of context included in sampling requests.
- Sensitive Data Filtering: Filter out sensitive data from sampling requests and responses.
- Sampling Request Validation: Validate all parameters and content within sampling requests.
- User Control: Ensure users have clear control over sampling requests and results.
- Model Preference Security: Handle model preference information securely to prevent misuse.
- Result Validation: Verify that sampling results conform to security standards.
Note: In practice, different LLM backends can vary in their invocation priorities and execution logic of MCP. Therefore, we need to not only focus on the MCP implementation but also on how the LLM and MCP work together.
- Priority Function Execution: Ensure the LLM can correctly prioritize and execute the intended plugin functions.
- Malicious Prompt Prevention: The LLM should identify and defend against malicious mnemonic or injection instructions within prompts.
- Secure Invocation: The LLM should securely and correctly invoke relevant MCP functionalities.
- Sensitive Information Protection: Prevent leakage of sensitive information.
- Multi-modal Content Filtering: Filter out harmful or sensitive information in multi-modal content (e.g., malicious prompt text within images).
Note: It is common for users to simultaneously enable multiple MCP Servers in daily use. Given that no official store currently audits MCP plugins, users might install malicious MCPs that seriously compromise overall usage security. This demands heightened caution: introducing a malicious MCP can pose significant security risks.
- Multi-MCP Environment Security: Ensure overall security in multi-MCP environments; periodically scan and inspect installed MCPs.
- Function Priority Hijacking Prevention: Check for potential malicious prompt presets to prevent hijacking of function priority.
- Cross-MCP Function Call Control: Secure control over cross-MCP function calls to prevent malicious MCP servers from returning harmful prompts that could trigger other MCPs to perform sensitive operations.
Note: With the increasing number of MCPs for cryptocurrency, many carry high-risk operations like managing crypto wallets. The following suggestions specifically target cryptocurrency-related MCPs.
- Private Key Protection: Enhance security measures for private keys (e.g., using Scrypt).
- Wallet Generation Security: Ensure the security of mnemonic or wallet generation processes.
- Wallet Information Privacy: Protect wallet information privacy; thoroughly filter data before sending wallet information to third-party interfaces.
- Transfer Information Confirmation: Ensure the completeness and clarity of all on-chain or exchange transfer signature information.
- Funds Operation Verification: Implement secondary verification methods (e.g., Google Authenticator) for critical fund operations.
- Local Model Privacy Protection: Use locally hosted LLMs to safeguard privacy data; prevent third-party model providers from accessing wallet information or other sensitive data.
- Traditional Wallet Compatibility: Provide secure compatibility with traditional wallets, such as supporting transaction signing through existing wallet solutions.