MCP Security

[HobbesSR]

MCPs are an incredibly powerful means of giving LLMs operational controls. This creates an enticing new attack vector for malicious actors. The desire to get this powerful functionality in users hands warrants equal consideration on how to protect users from the threats it opens up.

A primary concern is a single file (.roo/mcp.json) can induce the execution of arbitrary command lines on ingestion. This command line must be run to get the tool descriptions of the MCP. Thus, before any actual use of MCP functionality, a malicious command line can be run invisibly.

There are myriad means with which an attacker can get a victim to put their malicious payload in the mcp.json, and I want to stress that this is a lower threshold than getting a victim to directly execute an arbitrary script. The victim could be tricked to do so without having an intention to do anything with MCPs at all.

My general recommendation is to constrain the configuration of MCPs to some common subset of commands used by the majority of MCPs, to do some amount of conditioning and validation on the MCP configuration as input, and, if more flexibility is needed by some subset of power users, add friction to the freeform command line configuration that will elucidate the dangers.