ToolTrust

ToolTrust Security Methodology

How ToolTrust grades MCP servers, what each AS rule detects, and why those findings matter.

Grading

Scores are worst-case across all tools in a server. Each finding adds weight based on severity: Critical (+25), High (+15), Medium (+8), Low (+2).

GradeScorePolicy
A0-9Allow
B10-24Allow + rate limit
C25-49Require approval
D50-74Require approval
F75+Block

Rule Catalog

The directory UI and tool detail pages use this shared rule catalog, so labels, anchors, and emojis stay consistent everywhere on ToolTrust.

AS-001

๐ŸšจPrompt Injection / Tool Poisoning

Severity

Critical

Detects

Malicious instructions hidden in tool names or descriptions that try to hijack the agent, override prompts, or redirect behavior toward attacker-controlled goals.

Why it matters

A poisoned tool definition can manipulate the model at runtime and turn normal tool use into data exfiltration or unsafe autonomous actions.

Recommendation

Remove instruction-like text from tool metadata and validate names and descriptions before registration.

AS-002

โš ๏ธExcessive Permissions

Severity

HighMediumLow

Detects

Broad capabilities such as filesystem, network, database, or execution access without a clearly scoped justification.

Why it matters

Over-privileged tools increase blast radius when an agent is tricked, misconfigured, or compromised.

Recommendation

Limit permissions to the minimum needed and scope access to known paths, hosts, and resources.

AS-003

๐Ÿ”€Scope Mismatch

Severity

HighMedium

Detects

A mismatch between a tool's name, description, schema, and declared permissions.

Why it matters

Misleading names or descriptions make it easier for agents and humans to over-trust risky tools.

Recommendation

Keep tool names, descriptions, and permissions aligned with the actual capability.

AS-004

๐Ÿ“ฆSupply Chain CVEs (OSV)

Severity

HighCritical

Detects

Known CVEs in declared dependencies using OSV-backed dependency analysis.

Why it matters

A vulnerable dependency can become the easiest route to compromise the host or steal agent context.

Recommendation

Upgrade or replace the affected package, pin versions, and rescan after the fix.

AS-005

๐Ÿ”Privilege Escalation

Severity

High

Detects

Claims or requests for admin, root, sudo, impersonation, or similarly elevated access beyond the tool's stated purpose.

Why it matters

Escalated privileges turn otherwise routine tool calls into high-impact operations on the host or external systems.

Recommendation

Remove elevated scopes and keep privileged actions behind explicit human approval.

AS-006

๐Ÿ’ปArbitrary Code Execution

Severity

Critical

Detects

Tool interfaces that can run arbitrary host commands, scripts, or code.

Why it matters

A single prompt injection on an execution-capable tool can fully compromise the machine or environment.

Recommendation

Avoid generic execution interfaces or isolate them in a tightly sandboxed environment.

AS-007

โ„น๏ธMissing Description or Schema

Severity

Info

Detects

Tools with no description or no input schema.

Why it matters

Agents have less context to safely decide whether and how the tool should be used.

Recommendation

Add a clear description and a complete input schema before exposing the tool to agents.

AS-008

๐ŸšจKnown-Compromised Packages (Offline Blacklist)

Severity

Critical

Detects

Package versions that are already known to be compromised, using a bundled offline blacklist.

Why it matters

Compromised packages can steal credentials or establish persistence before public feeds fully catch up.

Recommendation

Remove the affected package immediately, rotate credentials, and move to a verified clean version.

AS-009

๐ŸŽญTyposquatting

Severity

Medium

Detects

Tool names that closely imitate legitimate tools using edit-distance heuristics.

Why it matters

Lookalike names are a common impersonation technique for tricking users and agents into calling the wrong tool.

Recommendation

Use distinct naming and block suspicious near-copy tool names during registration or review.

AS-010

๐Ÿ”‘Insecure Secret Handling

Severity

High

Detects

Parameters that appear designed to accept raw secrets such as API keys, passwords, tokens, or private keys.

Why it matters

Secrets passed as normal tool input can leak into prompts, traces, logs, and third-party systems.

Recommendation

Use secret managers or environment-based injection instead of raw credential parameters.

AS-011

โ„น๏ธMissing Rate-Limit / Timeout

Severity

Low

Detects

Network or execution tools that declare no timeout, retry, or rate-limit controls.

Why it matters

Agents can loop into runaway traffic, API quota exhaustion, or accidental cost spikes.

Recommendation

Declare explicit timeout, retry, and rate-limit behavior for network and execution operations.

AS-012

๐Ÿ”„Tool Drift

Severity

High

Detects

Changes in a tool definition since the last scan, such as new parameters, modified descriptions, or expanded permissions.

Why it matters

Unexpected drift can signal unreviewed updates or supply-chain compromise.

Recommendation

Review definition changes before rollout and rescan after every tool update.

AS-013

๐Ÿ‘ฅTool Shadowing

Severity

High

Detects

Duplicate normalized tool names that can shadow or override another tool in the same server.

Why it matters

A malicious duplicate can capture calls intended for a trusted tool.

Recommendation

Reject duplicate names and keep the active tool set unambiguous.

AS-014

โ„น๏ธDependency Inventory Unavailable

Severity

Info

Detects

MCP tools that expose neither metadata.dependencies nor a repo URL, leaving supply-chain coverage incomplete.

Why it matters

A clean report is much less meaningful when the scanner could not recover the dependency inventory in the first place.

Recommendation

Expose dependency metadata and a repository URL, or keep lockfiles available so dependency evidence can be verified.

AS-015

โš ๏ธSuspicious NPM Lifecycle Script

Severity

MediumHigh

Detects

npm dependency versions that publish install-time lifecycle scripts, especially when they include remote-fetch or inline-execution patterns.

Why it matters

Install-time scripts run automatically during dependency installation and are a common primitive in supply-chain compromises.

Recommendation

Review the script before use, prefer versions without lifecycle scripts, and use --ignore-scripts in CI or sandboxed environments when possible.

AS-016

๐ŸšจSuspicious NPM IOC Dependency

Severity

Critical

Detects

npm package metadata that references a known malicious IOC dependency such as plain-crypto-js.

Why it matters

IOC-based detection can catch compromised publishes even when the top-level package name is new or the malicious version is not yet in a blacklist.

Recommendation

Remove the affected version, rotate exposed credentials, and inspect the dependency tree for the IOC package before reinstalling.

AS-017

โš ๏ธSuspicious Data Exfiltration Description

Severity

Medium

Detects

Descriptions that explicitly suggest forwarding user data, content, or conversation history to external URLs, remote hosts, or equivalent off-box destinations.

Why it matters

Even when a tool is not using prompt-injection language, explicit external data-forwarding behavior can still create privacy and security risk.

Recommendation

Review the destination scope, document external forwarding clearly, and require approval when the tool can send user-derived content off-box.

AS-018

โ„น๏ธEmbedded MCP Server Detected

Severity

Info

Detects

Source-level MCP SDK imports and server initialization in a repo where tools could not be enumerated from a manifest or live handshake.

Why it matters

An embedded MCP implementation can still expose risky tools, but the scanner could only confirm presence, not complete behavior or auth posture.

Recommendation

Run a sandboxed live scan when possible or add a static tools manifest so the implementation can be reviewed without executing the server.