Owasp Mcp
Map MCP server and agent-tool risks to the OWASP MCP Top 10 (2025) IDs when you review or harden MCP integrations.
Overview
OWASP MCP is an agent skill most often used in Ship (also Build integrations and Operate governance) that indexes OWASP MCP Top 10 (2025) vulnerability IDs, titles, and attack categories for MCP security reviews.
Install
npx skills add https://github.com/microsoft/hve-core --skill owasp-mcpWhat is this skill?
- Indexes all 10 OWASP MCP Top 10 (2025) entries from MCP01:2025 through MCP10:2025
- Groups risks by category: credential hygiene, access control, supply chain, injection, observability, governance
- Cross-reference catalog for token mismanagement, tool poisoning, shadow MCP servers, and context injection
- 2025-dated identifiers suitable for audit write-ups and remediation tracking
- Reference-oriented index for aligning findings to a standard MCP threat model
- 10 OWASP MCP Top 10 (2025) indexed vulnerability entries (MCP01–MCP10)
- Six primary attack category families in the catalog table
Adoption & trust: 28 installs on skills.sh; 1.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You run MCP servers or agent tools but lack a standard vocabulary to classify leaks, injection, and shadow-server risks in audit notes.
Who is it for?
Solo builders documenting MCP threat models, pre-ship checklists, or incident postmortems against a published Top 10.
Skip if: Teams that need automated scanning, penetration testing, or non-MCP OWASP App Top 10 coverage without MCP context.
When should I use this skill?
Reviewing MCP server design, writing security audits, or classifying agent/MCP findings against OWASP MCP Top 10 (2025).
What do I get? / Deliverables
After invoking the skill, security work is framed with MCP01–MCP10 identifiers and categories so remediation and docs stay consistent across releases.
- Vulnerability findings mapped to MCP01–MCP10 IDs and categories
- Structured security notes or checklist aligned to the index
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security assessment frameworks belong on the Ship shelf so builders audit MCP exposure before production. The skill is a vulnerability index for MCP-specific threats—canonical fit for the security subphase rather than generic docs.
Where it fits
Label new MCP tool definitions against MCP03 tool poisoning before merging server code.
Structure a pre-release MCP review using MCP01 token mismanagement and MCP07 auth gaps.
Explain a production incident with MCP08 lack of audit and MCP09 shadow MCP in a runbook.
Cross-check agent context policies against MCP10 context injection and over-sharing.
How it compares
Use as a taxonomy index for MCP—not a substitute for DAST, dependency scanners, or generic OWASP cheat sheets.
Common Questions / FAQ
Who is owasp-mcp for?
Indie and solo developers building or operating agent stacks that expose or consume MCP servers and want OWASP-aligned naming in security docs.
When should I use owasp-mcp?
During Ship security reviews before launch, while scoping MCP integrations in Build, and when tracing shadow MCP or telemetry gaps in Operate—any time you need MCP01–MCP10 labels.
Is owasp-mcp safe to install?
It is reference documentation only; review the Security Audits panel on this Prism page and your org policy before loading skills from third-party repos.
SKILL.md
READMESKILL.md - Owasp Mcp
# 00 Vulnerability Index This document provides the index for the OWASP MCP Top 10 (2025) vulnerabilities. Each entry includes its identifier, title, and primary attack category. ## Vulnerability catalog | ID | Title | Category | |------------|--------------------------------------------------------|--------------------------| | MCP01:2025 | Token Mismanagement and Secret Exposure | Credential Hygiene | | MCP02:2025 | Privilege Escalation via Scope Creep | Access Control | | MCP03:2025 | Tool Poisoning | Supply Chain / Integrity | | MCP04:2025 | Software Supply Chain Attacks and Dependency Tampering | Supply Chain / Integrity | | MCP05:2025 | Command Injection and Execution | Injection | | MCP06:2025 | Prompt Injection via Contextual Payloads | Injection | | MCP07:2025 | Insufficient Authentication and Authorization | Access Control | | MCP08:2025 | Lack of Audit and Telemetry | Observability | | MCP09:2025 | Shadow MCP Servers | Governance | | MCP10:2025 | Context Injection and Over-Sharing | Data Isolation | ## Cross-reference matrix Each vulnerability document follows a consistent structure: 1. Description — what the vulnerability is and why it matters in MCP contexts. 2. Impact — concrete consequences of exploitation. 3. Vulnerability checklist — indicators that the environment is exposed. 4. Prevention controls — defensive design patterns and governance. 5. Example attack scenarios — realistic exploitation narratives. 6. Detection guidance — signals and indicators of compromise. 7. Remediation — immediate actions to contain and resolve. ## Category groupings ### Injection * MCP05:2025 Command Injection and Execution * MCP06:2025 Prompt Injection via Contextual Payloads ### Access Control * MCP02:2025 Privilege Escalation via Scope Creep * MCP07:2025 Insufficient Authentication and Authorization ### Supply Chain and Integrity * MCP03:2025 Tool Poisoning * MCP04:2025 Software Supply Chain Attacks and Dependency Tampering ### Credential Hygiene * MCP01:2025 Token Mismanagement and Secret Exposure ### Data Isolation * MCP10:2025 Context Injection and Over-Sharing ### Observability * MCP08:2025 Lack of Audit and Telemetry ### Governance * MCP09:2025 Shadow MCP Servers --- *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* --- title: 'MCP01: Token Mismanagement and Secret Exposure' description: OWASP MCP Top 10 reference for token mismanagement and secret exposure vulnerabilities including credential leakage and secret handling patterns --- # 01 Token Mismanagement and Secret Exposure Identifier: MCP01:2025 Category: Credential Hygiene ## Description Tokens and credentials serve as the primary authentication and authorization mechanism between models, tools, and servers in MCP systems. Developers frequently mishandle secrets by embedding them in configuration files, environment variables, prompt templates, or allowing them to persist within model context memory. MCP enables long-lived sessions, stateful agents, and context persistence, which means tokens can be inadvertently stored, indexed, or retrieved through user prompts, system recalls, or log inspection. This creates contextual secret leakage where the model or protocol layer becomes an unintentional secret repository. ## Impact * Complete environment compromise through API or infrastructure access. * Unauthorized code modifications