SkillAudit report — awslabs/mcp

Scanned 2026-04-30 by SkillAudit v0.3 (surface-tiered static checks + LLM-assisted prompt-injection red-team).

Commit: 6d7a843 · Stars: 8858 · Days since last push: 0

LLM prompt-injection probe: skipped — set ANTHROPIC_API_KEY to enable the LLM-assisted prompt-injection red-team

Overall grade: F (0/100)

Security findings

Production sources:

• HIGH src/aws-api-mcp-server/awslabs/aws_api_mcp_server/core/metadata/read_only_operations_list.py:54 — HTTP client call with user-controlled argument 'SERVICE_REFERENCE_URL' — no URL allowlist / validation found in file

response = requests.get(SERVICE_REFERENCE_URL, timeout=DEFAULT_REQUEST_TIMEOUT).json()

• HIGH src/aws-serverless-mcp-server/awslabs/aws_serverless_mcp_server/utils/github.py:37 — HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file

response = requests.get(url, headers=default_headers, timeout=30)

• HIGH src/eks-mcp-server/awslabs/eks_mcp_server/eks_kb_handler.py:81 — HTTP client call with user-controlled argument 'API_ENDPOINT' — no URL allowlist / validation found in file

response = requests.post(

• HIGH src/eks-mcp-server/awslabs/eks_mcp_server/scripts/update_eks_cloudwatch_metrics_guidance.py:53 — HTTP client call with user-controlled argument 'DOCS_URL' — no URL allowlist / validation found in file

response = requests.get(DOCS_URL, timeout=10)

• HIGH src/openapi-mcp-server/awslabs/openapi_mcp_server/auth/cognito_auth.py:310 — HTTP client call with user-controlled argument 'token_endpoint' — no URL allowlist / validation found in file

response = requests.post(token_endpoint, headers=headers, data=data)

Examples / samples (low-weight) — 2 total, deduct 5/0 per high/warn:

• HIGH samples/mcp-integration-with-kb/user_interfaces/chat_bedrock_st.py:91 — Template-string URL with interpolation — no validation possible on composed string

response = requests.post(

• HIGH samples/mcp-integration-with-nova-canvas/user_interfaces/image_generator_st.py:93 — Template-string URL with interpolation — no validation possible on composed string

response = requests.post(

Permissions

_No findings on this axis._

Credentials

Production sources:

• HIGH src/dynamodb-mcp-server/awslabs/dynamodb_mcp_server/model_validation_utils.py:70 — Hardcoded AWS access key found in source

AKIA*** (AWS access key, 20 chars)

Examples / samples (low-weight) — 2 total, deduct 5/0 per high/warn:

• WARN samples/mcp-integration-with-kb/.env.example — .env file present in repo tree — verify it's a template, not real secrets

samples/mcp-integration-with-kb/.env.example

• WARN samples/mcp-integration-with-nova-canvas/.env.example — .env file present in repo tree — verify it's a template, not real secrets

samples/mcp-integration-with-nova-canvas/.env.example

Test source (low-weight) — 3 total, deduct 5/0 per high/warn:

• HIGH src/aws-location-mcp-server/tests/test_server.py:1032 — Hardcoded AWS access key found in source

AKIA*** (AWS access key, 20 chars)

• HIGH src/aws-location-mcp-server/tests/test_server.py:1045 — Hardcoded AWS access key found in source

AKIA*** (AWS access key, 20 chars)

• HIGH src/aws-location-mcp-server/tests/test_server.py:1231 — Hardcoded AWS access key found in source

AKIA*** (AWS access key, 20 chars)

Maintenance

Production sources:

• WARN (meta) — 467 open issues — triage backlog

467 open

Compatibility

Production sources:

• WARN (meta) — No engines (Node) or python_requires declared — cross-client compatibility unverified

Documentation

_No findings on this axis._

Methodology

SkillAudit v0.3 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the published rubric — surface tiers, per-(axis, surface) caps, grade buckets, and worked examples are all documented there.

The v0.3 calibration update introduces surface tiering: every finding is tagged with the code path it lives in (production / installer / examples / benchmarks / scripts / test). Production findings deduct at full weight (-30 high, -10 warn); installer findings deduct at half (-15 / -5); examples, benchmarks, top-level scripts, and tests deduct at low weight (-5 / 0). This stops a chatty benchmarks/ or samples/ directory from dominating an otherwise-clean MCP server's grade.

The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.

How to improve this grade

• Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use execFile with argv arrays instead of exec with template strings; never pass untrusted strings to subprocess with shell=True.
• Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g., <untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output.
• Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
• Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
• Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.

_Report generated by skillaudit.dev_