docs: add issues codes (#10)

mmilanta · knielsen404 · web-flow · commit e5c68254d2ab · 2025-07-17T13:58:17.000+02:00
* docs: add issues codes

* rephrasing

---------

Co-authored-by: knielsen404 &lt;kristian@invariantlabs.ai&gt;
diff --git a/docs/mcp-scan/issue-code-reference.md b/docs/mcp-scan/issue-code-reference.md
@@ -0,0 +1,59 @@
+---
+title: Issue Code Reference
+description: Archive of `mcp-scan` issues codes.
+icon: bootstrap/x-circle
+---
+
+# Issue Code Reference
+This is the reference for all issues that can be detected via `mcp-scan`.
+
+## Issues
+Issues are identified security threats that result in compromised MCP servers, and should be addressed as soon as possible.
+<h3 id="E001">E001: Tool poisoning, prompt injection.</h3>
+Detected a prompt injection in the tool description. The tool should be deactivated immediately. 
+<h3 id="E002">E002: Tool poisoning, cross server interaction.</h3>
+The tool description refers to a tool from another server. MCP servers should be self-contained. If an MCP server refers to a tool from another server, there is a high risk of compromising the behavior of that tool.
+<h3 id="E003">E003: Tool poisoning, hijacking agent behavior.</h3>
+The tool description contains instructions that interfere with the Agent's course of action. Tools should be at the disposal of the agent and should not provide it with instructions. 
+
+## Warnings
+Warnings are potential security threats. Keep an eye on them.
+<h3 id="W001">W001: Tool poisoning, suspicious word used.</h3>
+The tool's description includes one or more words commonly linked to malicious activity, such as "Ignore", "crucial", or "important".
+<h3 id="W003">W003: Entity has changed.</h3>
+The tool description has changed. This could be a rug pull attack, where the agent has swapped a benign tool with a malicious one.
+
+## Toxic Flows
+A toxic flow is a threat that arises when multiple tools (that are benign individually) can be used in combination by an attacker in a malicious way.
+<h3 id="TF001">TF001: Data Leak Toxic Flow.</h3>
+A Data Leak Toxic Flow allows the attacker to leak private data from the agent. For this to work, three components are required:
+
+* An **untrusted output** tool: A tool whose output could be malicious, such as fetching information from a webpage set up by someone else. 
+* A **private data** tool: A tool that exposes private data to the Agent, by reading a file from the user's machine, for example.
+* A **public sink** tool: A tool that the Agent can use to send information back to the attacker. This could mean sending a private message to an arbitrary phone number, or simply making some information public on the internet. Examples include writing to a public repo or sending a message on WhatsApp.
+
+The attack triggers when the agent uses the **untrusted output** tool for any unrelated user task. The output of the tool contains a prompt injection, or a set of malicious instructions that compromise the agent. Once compromised, the agent can use the **private data** tool to fetch the user's private data. Finally, the compromised agent can leak such data using the **public sink** tool.
+
+!!! note 
+
+    A single tool may act as **untrusted output**, **private data**, and **public sink** simultaneously.
+
+<h3 id="TF002">TF002: Destructive Toxic Flow.</h3>
+A Destructive Toxic Flow allows the attacker to cause permanent damage. For it to work, it needs two components:
+
+* An **untrusted output** tool: A tool whose output could be malicious, such as fetching information from a webpage set up by someone else.
+* A **destructive** tool: An irreversible tool that can be used in a destructive way, like deleting a file on the user's machine, or sending money.
+
+The attack triggers when the agent uses the **untrusted output** tool for any unrelated user task. The output of the tool contains a prompt injection, or a set of malicious instructions that compromise the agent. Once compromised, the agent can use the **destructive** tool to irreversibly damage the environment.
+
+## Analysis Errors
+An Analysis Error implies that something went wrong during the scan, and that the MCP servers are not being scanned as expected.
+<h3 id="X001">X001: Could not reach analysis server.</h3>
+The backend of `mcp-scan` could not be reached. This might happen when:
+
+* The `mcp-scan` backend is down.
+* You manually selected the backend using the `--base-url` flag, and the backend you selected cannot be reached.
+* There is no connection to the internet.
+
+<h3 id="X002">X002: Whitelisted.</h3>
+The tool has been whitelisted. It will now show in green even if issues are detected.
diff --git a/docs/overrides/.icons/bootstrap/x-circle.svg b/docs/overrides/.icons/bootstrap/x-circle.svg
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="16px" height="16px" viewBox="0 0 16 16" version="1.1">
+<g id="surface1">
+<path style="fill:none;stroke-width:2;stroke-linecap:round;stroke-linejoin:miter;stroke:rgb(20%,20%,20%);stroke-opacity:1;stroke-miterlimit:4;" d="M 15 9 L 9 15 " transform="matrix(0.666667,0,0,0.666667,0,0)"/>
+<path style="fill:none;stroke-width:2;stroke-linecap:round;stroke-linejoin:miter;stroke:rgb(20%,20%,20%);stroke-opacity:1;stroke-miterlimit:4;" d="M 9 9 L 15 15 " transform="matrix(0.666667,0,0,0.666667,0,0)"/>
+<path style="fill:none;stroke-width:2;stroke-linecap:round;stroke-linejoin:round;stroke:rgb(20%,20%,20%);stroke-opacity:1;stroke-miterlimit:4;" d="M 12 3 C 16.96875 3 21 7.03125 21 12 C 21 16.96875 16.96875 21 12 21 C 7.03125 21 3 16.96875 3 12 C 3 7.03125 7.03125 3 12 3 Z M 12 3 " transform="matrix(0.666667,0,0,0.666667,0,0)"/>
+</g>
+</svg>
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -132,6 +132,7 @@ nav:
     - Scanning: mcp-scan/scanning.md
     - Proxying: mcp-scan/proxying.md
     - Guardrails: mcp-scan/guardrails.md
+    - Issue Codes: mcp-scan/issue-code-reference.md
   - Integrations:
     - Explorer:
       - Overview: explorer/index.md
