Model Context Protocol Security Resources
Table of Contents
Model Context Protocol is new, so we need to build all the security tooling and process and knowledge around it. Just like when we invented TCP/IP we needed to invent firewalls and all that jazz.
tldr;
Model Context Protocol is new, so we need to build all the security tooling and process and knowledge around it, and thus there is a lot of new thingamabobs out there on the capital-I Internet, from code to blog posts to videos.
Let’s try to make it a bit easier to find the good stuff.
But first…Raillock
I’m working on a set of open source MCP related security tools, and one of them is a tool called Raillock, and I need some help testing it, using it and making it better, so if you have some time, please check it out and give me some feedback.
Raillock "locks" the MCP server tool descriptions with cryptographic signatures (i.e. checksums), can be used as a CLI or a Python library. It can be imported into AI Agents that are MCP clients and help them protect themselves from malicious MCP servers and other MCP vulnerabilities.
About Programming with Natural Language
A key aspect of using Large Language Models is that we effectively program them using natural language. For example, the tool descriptions in an MCP server function/tool are part of the ‘program’ that the MCP client passes to the LLM. Of course, this description can include all kinds of malicious instructions. This is something new that security professionals have to deal with. It’s not the only security issue in MCP, but it’s one of the more difficult ones to grasp.
It’s malicious code comments!
We all have to get used to a new way of programming, and a new attack vectors that don't look like code. But they are. But they don't look like code. It's Halloween every day now. See the post Malicious Code Comments for more
MCP Security Resources
Last updated: 2025-05-21
About MCP Itself
High Level MCP Resources
Meta Resources
Collections of resources.
Blog Posts
- Trail of Bits: Jumping the Line: How MCP Servers Can Attack You Before You Ever Use Them
- Trail of Bits: How MCP Servers Can Steal Your Conversation History
- Simon Willison on MCP Prompt Injection
- Invariant Labs: MCP Injection Experiments
- Invariant Labs: Introducing MCP Scan
- Invariant Labs: MCP Security Notification Tool Poisoning Attacks
Tools
Purposely Vulnerable MCP Servers
Papers
- Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies