@contextstream/mcp-server

ContextStream MCP server - v0.4.x with consolidated domain tools (~11 tools, ~75% token reduction). Code context, memory, search, and AI tools.

contextstreamiodev-toolsTypeScriptMIT

GitHub npm

0Tools

15Findings

30Stars

Mar 19, 2026Last Scanned

⚠7 critical · 7 high · 1 low findings detected

Security Category Deep Dive

⚡

Prompt Injection

Prompt & context manipulation attacks

Maturity

Rules

Sub-Categories

Gaps

64%

Implemented

Tests

Stories

PI-DIRDirect Input Injection

100%3 rules

Injection via tool descriptions and parameter fields

GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules

PI-INDIndirect / Gateway Injection

100%4 rules

Hidden instructions via external content and tool responses

PI-CTXContext Manipulation

100%2 rules

Context window saturation and prior-approval exploitation

PI-ENCEncoding & Obfuscation

100%3 rules

Payload hiding via invisible chars, base64, schema fields

PI-TPLTemplate & Output Poisoning

100%2 rules

Injection via prompt templates and runtime tool output

Findings15

7critical

7high

1low

Critical7

criticalC1Command InjectionMCP03-command-injectionAML.T0054

Pattern "`[^`]+`" matched in source_code: "`ContextStream MCP Server (contextstream-mcp) v${VERSION} Usage: npx --prefer-online -y @contextstream/mcp-server@latest contextstream-mcp contextstream-mcp setup contextstream-mcp http contextstream-mcp hook <hook-name> Commands: setup Interactive onboarding wizard (rules + workspace mapping) verify-key [--json] Verify API key and show account info update-hooks [flags] Update hooks for all editors (Claude, Cursor, Cline, Roo, Kilo) --scope=global Install hooks globally (default) --scope=project, -p Install hooks for current project only --path=/path Specify project path (implies --scope=project) http Run HTTP MCP gateway (streamable HTTP transport) hook pre-tool-use PreToolUse hook - blocks discovery tools, redirects to ContextStream hook user-prompt-submit UserPromptSubmit hook - injects ContextStream rules reminder hook media-aware Media-aware hook - detects media prompts, injects media tool guidance hook pre-compact PreCompact hook - saves conversation state before compaction hook post-compact PostCompact hook - restores context after compaction hook session-start SessionStart hook alias for session-init hook stop Stop hook alias for session-end hook post-write PostToolUse hook - real-time file indexing after Edit/Write hook post-tool-use PostToolUse hook alias for post-write hook post-tool-use-failure PostToolUseFailure hook - captures repeated tool failures hook notification Notification hook - captures runtime notifications hook permission-request PermissionRequest hook - captures escalation requests hook subagent-start SubagentStart hook - injects context for spawned agents hook subagent-stop SubagentStop hook - captures subagent outcomes hook task-completed TaskCompleted hook - updates tasks and captures completion hook teammate-idle TeammateIdle hook - redirects idle teammates to pending tasks hook auto-rules Legacy no-op hook hook on-bash Legacy no-op hook hook on-task Legacy no-op hook hook on-read Legacy no-op hook hook on-web Legacy no-op hook hook session-init SessionStart hook - full context injection on session start hook session-end Stop hook - finalizes session, saves state hook on-save-intent UserPromptSubmit hook - redirects doc saves to ContextStream Environment variables: CONTEXTSTREAM_API_URL Base API URL (e.g. https://api.contextstream.io) CONTEXTSTREAM_API_KEY API key for authentication (or use CONTEXTSTREAM_JWT) CONTEXTSTREAM_JWT JWT for authentication (alternative to API key) CONTEXTSTREAM_ALLOW_HEADER_AUTH Allow header-based auth when no API key/JWT is set CONTEXTSTREAM_WORKSPACE_ID Optional default workspace ID CONTEXTSTREAM_PROJECT_ID Optional default project ID CONTEXTSTREAM_TOOLSET Tool mode: light|standard|complete (default: standard) CONTEXTSTREAM_TOOL_SURFACE_PROFILE Tool surface: default|openai_agentic (default: default) CONTEXTSTREAM_TOOL_ALLOWLIST Optional comma-separated tool names to expose (overrides toolset) CONTEXTSTREAM_AUTO_TOOLSET Auto-detect client and adjust toolset (default: false) CONTEXTSTREAM_AUTO_HIDE_INTEGRATIONS Auto-hide Slack/GitHub tools when not connected (default: true) CONTEXTSTREAM_SCHEMA_MODE Schema verbosity: compact|full (default: full, compact reduces tokens) CONTEXTSTREAM_PROGRESSIVE_MODE Progressive disclosure: true|false (default: false, starts with ~13 core tools) CONTEXTSTREAM_ROUTER_MODE Router pattern: true|false (default: false, exposes only 2 meta-tools) CONTEXTSTREAM_OUTPUT_FORMAT Output verbosity: compact|pretty (default: compact, ~30% fewer tokens) CONTEXTSTREAM_INCLUDE_STRUCTURED_CONTENT Include structured JSON payloads in tool results: true|false (default: true) CONTEXTSTREAM_SEARCH_LIMIT Default MCP search limit (default: 3) CONTEXTSTREAM_SEARCH_MAX_CHARS Max chars per search result content (default: 400) CONTEXTSTREAM_CONSOLIDATED Consolidated domain tools: true|false (default: true in v0.4.x, ~75% token reduction) CONTEXTSTREAM_CONTEXT_PACK Enable Context Pack in context_smart: true|false (default: true) CONTEXTSTREAM_PRO_TOOLS Optional comma-separated PRO tool names (default: AI tools) CONTEXTSTREAM_UPGRADE_URL Optional upgrade URL shown for PRO tools on Free plan CONTEXTSTREAM_ENABLE_PROMPTS Enable MCP prompts list (default: true) MCP_HTTP_HOST HTTP gateway host (default: 0.0.0.0) MCP_HTTP_PORT HTTP gateway port (default: 8787) MCP_HTTP_PATH HTTP gateway path (default: /mcp) MCP_HTTP_REQUIRE_AUTH Require auth headers for HTTP gateway (default: true) MCP_HTTP_JSON_RESPONSE Enable JSON responses (default: false) Examples: CONTEXTSTREAM_API_URL="https://api.contextstream.io" \\ CONTEXTSTREAM_API_KEY="your_api_key" \\ npx --prefer-online -y @contextstream/mcp-server@latest Setup wizard: npx --prefer-online -y @contextstream/mcp-server@latest setup Notes: - When used from an MCP client (e.g. Codex, Cursor, VS Code), set these env vars in the client's MCP server configuration. - The server communicates over stdio; logs are written to stderr.`" (at position 2283)

Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.

criticalJ1Cross-Agent Configuration PoisoningMCP05-privilege-escalationAML.T0054

Pattern "(\.claude[/\\]|claude[/\\]settings|claude.*config)" matched in source_code: "Claude Code, Cursor, VS Code MCP config" (at position 16990)

MCP servers MUST NOT write to AI agent configuration directories. If configuration management is the server's purpose, require explicit user confirmation before any write and restrict paths to the server's own config namespace. CVE-2025-53773 demonstrated this enables full RCE across agent boundaries.

criticalK8Cross-Boundary Credential SharingMCP05-privilege-escalationAML.T0054

Never forward, share, or embed credentials across trust boundaries. Use OAuth token exchange (RFC 8693) to create scoped, delegated tokens instead of passing original credentials. Never include credentials in tool responses. Required by ISO 27001 A.5.17 and OWASP ASI03.

criticalK9Dangerous Post-Install HooksMCP10-supply-chainAML.T0054

Remove network requests, code execution, and shell commands from install hooks. Post-install scripts should only run build/compile steps (node-gyp, tsc). Use --ignore-scripts flag during CI installations and audit all install hooks before allowing. Required by OWASP ASI04 and CoSAI MCP-T11.

criticalK14Agent Credential Propagation via Shared StateMCP05-privilege-escalationAML.T0054

Never write credentials to shared agent state. Use credential vaults (HashiCorp Vault, AWS Secrets Manager) with per-agent scoped access. Implement OAuth token exchange (RFC 8693) for cross-agent authorization. Redact credentials from all agent outputs before writing to shared memory. Required by OWASP ASI03/ASI07 and MAESTRO L7.

criticalQ11Code Suggestion Poisoning via MCPMCP01-prompt-injectionAML.T0054.001

Pattern "(?:suggest|generate|complete|insert).*(?:code|function|class|import|require)" matched in source_code: "CompletedHook } = await import" (at position 10504)

MCP tool outputs flowing into IDE code suggestion contexts must be sanitized. Implement output content policies that: (1) strip hidden Unicode characters (zero-width, RTL override, tag characters), (2) detect embedded instructions targeting AI code assistants, (3) validate code blocks against security patterns before they enter the suggestion pipeline, (4) never include shell commands in tool outputs without explicit [COMMAND] markers visible to the user. Reference: IDEsaster (Dec 2025), arXiv 2509.22040.

criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054

Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 22805)

MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.

High7

highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068

MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.

highD1Known CVEs in DependenciesMCP08-dependency-vuln

Dependency "@modelcontextprotocol/sdk@1.25.1" has known CVEs:

Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.

highK1Absent Structured LoggingMCP09-logging-monitoringAML.T0054

Implement structured logging (pino, winston, or equivalent) for all tool call handlers. Every tool invocation should log: timestamp, tool name, caller identity, parameters (sanitized), result status, and duration. Required by ISO 27001 A.8.15, CoSAI MCP-T12, and NIST AI RMF MEASURE 2.6.

highK11Missing Server Integrity VerificationMCP10-supply-chainAML.T0054

Implement cryptographic verification for MCP server connections: (1) Pin server TLS certificates or public keys, (2) Verify server tool definition checksums against a known-good manifest, (3) Use package manager integrity checks (npm integrity, pip --require-hashes). The MCP spec recommends but doesn't yet mandate server signing — implement it proactively. Required by ISO 27001 A.8.24 and CoSAI MCP-T6.

highK15Multi-Agent Collusion PreconditionsMCP05-privilege-escalationAML.T0054

Implement collusion-resistant multi-agent architecture: (1) Verify agent identity cryptographically before accepting commands, (2) Apply ACLs to shared write surfaces, (3) Rate-limit cross-agent invocations, (4) Audit all inter-agent communication with timestamps and agent IDs, (5) Baseline normal interaction patterns for anomaly detection. Required by MAESTRO L7 and CoSAI MCP-T9.

highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054

Pattern "function\s+(\w+).*\{[^}]*\1\s*\((?!.*(?:depth|level|limit|max|count|recursi))" matched in source_code: "function runLimitedModeServer(): Promise<void> { const server = new McpServer(" (at position 7865)

Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.

highL5Package Manifest Confusion IndicatorsMCP10-supply-chainAML.T0017

Pattern "["']bin["']\s*:\s*\{[^}]*["'](?!(?:mcp-sentinel|npx))[\w-]+["']\s*:\s*["'][^"']*(?:backdoor|payload|hook|inject)" matched in source_code: ""bin": { "mcp-server": "dist/index.js", "contextstream-mcp": "dist/index.js", "contextstream-hook": "dist/hook" (at position 17995)

Verify package integrity by comparing registry manifest with tarball package.json using npm-manifest-check or similar tools. Pin dependencies by integrity hash in lockfiles. Use 'npm publish --provenance' for Sigstore attestation. Audit prepublish scripts for package.json modifications. Add 'npm pack --dry-run' to CI to verify tarball contents match expectations.

Low1

lowF4MCP Spec Non-ComplianceMCP07-insecure-config

Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions

Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.