io.github.Crypto-Goatz/rocket-plus-mcp

56+ AI tools for CRM, content, workflows, SkillForge & marketing automation.

Crypto-Goatzapi-integrationTypeScript

GitHub npm

0Tools

13Findings

Mar 24, 2026Last Scanned

⚠5 critical · 6 high · 1 medium · 1 low findings detected

Security Category Deep Dive

⚡

Prompt Injection

Prompt & context manipulation attacks

Maturity

Rules

Sub-Categories

Gaps

64%

Implemented

Tests

Stories

PI-DIRDirect Input Injection

100%3 rules

Injection via tool descriptions and parameter fields

GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules

PI-INDIndirect / Gateway Injection

100%4 rules

Hidden instructions via external content and tool responses

PI-CTXContext Manipulation

100%2 rules

Context window saturation and prior-approval exploitation

PI-ENCEncoding & Obfuscation

100%3 rules

Payload hiding via invisible chars, base64, schema fields

PI-TPLTemplate & Output Poisoning

50%2 rules1 found

Injection via prompt templates and runtime tool output

Findings13

5critical

6high

1medium

1low

Critical5

criticalC1Command InjectionMCP03-command-injectionAML.T0054

Pattern "`[^`]+`" matched in source_code: "`${API_BASE}/api/mcp/init`" (at position 4118)

Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.

criticalQ8Cross-Protocol Authentication ConfusionMCP07-insecure-configT1550

Pattern "(?:oauth|bearer).{0,100}(?:api[_\s-]?key|x-api-key|apiKey)" matched in source_code: "Bearer ${API_KEY" (at position 4257)

MCP servers supporting multiple protocols must enforce authentication independently per protocol. Never reuse OAuth tokens across protocol boundaries. Implement protocol-specific middleware with explicit auth checks on every path. Audit auth coverage for all transport types (stdio, SSE, Streamable HTTP, REST). Reference: CVE-2025-6514 demonstrated that auth library vulnerabilities in MCP's OAuth layer cascade to all protocols sharing the same auth middleware.

criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054

Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 34381)

MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.

criticalK14Agent Credential Propagation via Shared StateMCP05-privilege-escalationAML.T0054

Never write credentials to shared agent state. Use credential vaults (HashiCorp Vault, AWS Secrets Manager) with per-agent scoped access. Implement OAuth token exchange (RFC 8693) for cross-agent authorization. Redact credentials from all agent outputs before writing to shared memory. Required by OWASP ASI03/ASI07 and MAESTRO L7.

criticalL7Transitive MCP Server DelegationMCP06-excessive-permissionsAML.T0054

Pattern "(?:connect|initialize).*(?:mcp|modelcontextprotocol).*(?:server|endpoint|url)" matched in source_code: "Initialize MCP Server" (at position 5527)

MCP servers MUST NOT create client connections to other MCP servers without explicit user disclosure. If delegation is required, declare all downstream servers in the server's capabilities and tool descriptions. Never forward user credentials to sub-servers. Implement a trust boundary between the approved server and any delegated servers. Log all transitive delegations for audit.

High6

highK18Cross-Trust-Boundary Data Flow in Tool ResponseMCP04-data-exfiltrationAML.T0054

Pattern "(?:readFile|read_file|query|select|getSecret|getCredential|getPassword).*(?:webhook|http|fetch|axios|post|send|email|slack|discord)" matched in source_code: "query: { type: 'string', description: 'Search query (name, email" (at position 9291)

Implement data flow taint tracking: tag data from sensitive sources (databases, credentials, files) and prevent it from flowing to external sinks (HTTP, webhooks, email) without explicit sanitization/redaction. Apply data classification and enforce boundary controls per trust level. Required by ISO 27001 A.5.14 and CoSAI MCP-T5.

highK15Multi-Agent Collusion PreconditionsMCP05-privilege-escalationAML.T0054

Implement collusion-resistant multi-agent architecture: (1) Verify agent identity cryptographically before accepting commands, (2) Apply ACLs to shared write surfaces, (3) Rate-limit cross-agent invocations, (4) Audit all inter-agent communication with timestamps and agent IDs, (5) Baseline normal interaction patterns for anomaly detection. Required by MAESTRO L7 and CoSAI MCP-T9.

highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057

Pattern "\bfetch\s*\([^)]*\$\{[^}]*(?:url|uri|host|target|endpoint|param|input|args)[^}]*\}" matched in source_code: "fetch(`${API_BASE}${endpoint}" (at position 6058)

Validate ALL user-supplied URLs before making HTTP requests: 1. Parse the URL and check the hostname against an explicit allowlist of permitted domains. 2. Block requests to RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. 3. Block loopback (127.0.0.0/8), link-local (169.254.0.0/16), and IPv6 equivalents. 4. Block file:// and other non-http(s) protocols explicitly. 5. Disable automatic redirect following, or re-validate each redirect destination. 6. In cloud environments: block requests to IMDS endpoints (169.254.169.254, metadata.google.internal) at both the application AND network layer. Example (Node.js): Use the `ssrf-req-filter` package or implement URL validation against an allowlist before calling fetch/axios/got.

highD1Known CVEs in DependenciesMCP08-dependency-vuln

Dependency "@modelcontextprotocol/sdk@1.0.0" has known CVEs:

Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.

highJ5Tool Output Poisoning PatternsMCP01-prompt-injectionAML.T0054

[AST — J5] Catch block at L810 interpolates error variable "error" into response. If the error originates from attacker-controlled input (e.g., malformed data), the error message becomes an injection vector into the AI's context.

Never include user input or LLM manipulation directives in error messages or tool responses. Use structured error codes.

highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054

Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.

Medium1

mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054

Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.

Low1

lowF4MCP Spec Non-ComplianceMCP07-insecure-config

Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions

Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.