MCPFrisk

A single-binary CLI that frisks every MCP config on a developer's machine — Claude Code, Cursor, Windsurf, Gemini-CLI, Copilot agent mode, Continue, Claude Desktop — and refuses the launch when a server's STDIO command, embedded secret, or marketplace provenance trips the CVE-2026-30623 pattern.

Problem

The April 15, 2026 OX Security advisory turned every .mcp.json into a public-facing remote code execution surface: Anthropic's STDIO interface passes the command + args fields to a shell on every protocol implementation regardless of language, and the company has declined to change it, calling sanitization "the developer's responsibility." More than 7,000 publicly accessible MCP servers and 150M+ package downloads are in the blast radius, marketplace poisoning lands on 9 of 11 surveyed marketplaces, and CVE-2026-30623 made the command-injection variant concrete. Meanwhile MCP config files are also where the secrets live — researchers found 24,008 plaintext API keys in MCP configs alone, and AI-assisted commits leak credentials at twice the human baseline. Today there is no developer-side tool that opens a config, frisks every server's command line, environment block, and source provenance, and refuses the launch when something is wrong.

Target user

Two personas. Primary: individual developers running one or more AI coding agents (Claude Code, Cursor, Windsurf, Gemini-CLI, Copilot agent mode) on a laptop they also use for client work, who can't afford a SANDWORM_MODE-style rogue server harvesting their .env. Secondary: platform/security engineers at small-to-midsize shops where every engineer now ships an unaudited .mcp.json in their repo. JTBD: "Before any AI coding agent on this machine actually spawns a server, prove to me the command isn't a shell-injection vector, the env block isn't full of plaintext keys, and the upstream package isn't on the marketplace-poisoning list."

MVP scope

• Auto-discover all known MCP config locations across macOS / Linux / Windows: ~/.claude/config.json, .cursor/mcp.json, Windsurf's ~/.codeium/windsurf/mcp_config.json, ~/.config/gemini-cli/mcp.json, Copilot's ~/.config/github-copilot/mcp.json, Continue's .continue/config.json, Claude Desktop's claude_desktop_config.json, plus repo-local .mcp.json.
• Lint every STDIO entry against the CVE-2026-30623 pattern — flag commands whose args or env interpolate untrusted JSON values into a shell-string boundary, flag command: sh -c / bash -c wrappers, flag args containing unquoted $VAR, backticks, or ;/&&/|.
• Scan extracted env blocks and JSON string values for plaintext secrets (Anthropic/OpenAI/HF/AWS keys, GitHub tokens, OAuth refresh tokens, Stripe keys) via regex + entropy, and offer one-flag rewrite into the OS keychain (mcpfrisk migrate-secrets).
• Resolve each STDIO command's binary to its source package (npm / PyPI / cargo / uv / pipx). Pin the resolved version into .mcpfrisk.lock; emit a yellow flag when a preinstall / install / postinstall hook was added since the pinned version, mirroring [[hookgate]]'s diff-against-prior-version idea but at the MCP-server layer.
• Cross-reference each server's source against a bundled signature list of the 9 poisoned marketplaces from the OX Security advisory plus the 19-package SANDWORM_MODE roster; refuse to launch on a match.
• Output a one-screen TTY report, SARIF (for GitHub code scanning), and JUnit XML (for CI). Ship as a single static Go binary so it can run as the first step in a hardened image with no Node / Python runtime required.

Monetization

Freemium. Core CLI is MIT-licensed and free forever. MCPFrisk Cloud ($12/seat/month, $79/month team flat) continuously watches the public MCP marketplaces (Smithery, Glama, the Anthropic catalogue), npm/PyPI for newly published MCP server packages, and the GitHub Advisory + CISA feeds; pushes a webhook the moment ANY server pinned in your committed .mcpfrisk.lock changes state. Enterprise tier ($499/mo flat for ≤50 seats) adds SSO, audit log export, an org-wide policy file (MCPFRISK_POLICY.yaml), and a private signature mirror.

Why now

The OX Security advisory dropped April 15, 2026 and was followed within hours by CVE-2026-30623 for the STDIO command-injection variant — the third major AI-supply-chain disclosure in eight weeks after SANDWORM_MODE (February 2026, 19 malicious npm packages shipping rogue MCP servers, three of which impersonated Claude Code) and the March 31 Claude Code source-map leak. Anthropic has publicly declined to modify the protocol, which means the fix has to live in the install/runtime layer on the developer's machine — exactly the layer existing tools (Snyk, Semgrep, gitleaks) don't reach because none of them know what an MCP config is. OECD.AI's March 17, 2026 incident report shows AI-assisted commits leak secrets at twice the human baseline, and 24,008 of those secrets were found inside MCP configs themselves, so the same file is now both the RCE surface and the credential dump.

Risks & open questions

• False-positive fatigue — STDIO commands legitimately invoke sqlite, ripgrep, gh, uv run, etc. Need a curated allow-shape list out of the box plus an mcpfrisk approve <server>@<sha> flow that commits trust to .mcpfrisk.lock.
• MCP spec is moving fast — the STDIO transport may be deprecated in favour of HTTP+streaming, which would shrink the injection surface but explode a new auth surface. Plugin layer per client must be stable.
• Marketplace landscape fragments weekly; the poisoning-signature list is the actual product asset and decays without the Cloud watch tier.
• Enterprise IT may already centralize MCP policy via MDM (Jamf, Intune); MCPFrisk needs a --report-only mode that doesn't gate the install in those orgs.
• Distinguishing "developer intentionally ran a shell-out" from "a malicious server template that ships with a shell-out" is the real tuning problem; over-blocking will push devs to --ignore past it.

Next step

Promote to the weekly prototype slot on Sunday 2026-05-17 — minimum runnable slice that ingests a single .mcp.json, runs the STDIO lint + secret scan + npm-provenance check, and emits the one-screen TTY report. Validate by frisking the configs of five real Claude Code / Cursor users and counting how many trip a true positive on their first run.

Sources

• https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/ — April 15 2026 disclosure of the systemic MCP RCE surface across 7,000+ public servers and the 9-of-11 marketplace-poisoning result.
• https://docs.litellm.ai/blog/mcp-stdio-command-injection-april-2026 — CVE-2026-30623 STDIO command-injection writeup with the concrete payload shape MCPFrisk's linter targets.
• https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html — Anthropic's "by design" response confirming sanitization is the developer's responsibility, which is the reason a developer-side CLI exists.
• https://www.knostic.ai/blog/claude-cursor-env-file-secret-leakage — SANDWORM_MODE rogue-MCP-server attack pattern + the .env-leakage primitive MCPFrisk's secret scanner is built against.
• https://oecd.ai/en/incidents/2026-03-17-2273 — OECD.AI incident report quantifying the 2× AI-commit secret-leak rate and the 24,008 plaintext secrets found inside MCP configs.
• https://authzed.com/blog/timeline-mcp-breaches — running timeline of MCP-specific security breaches; the source-of-truth feed the Cloud tier subscribes to.