Path traversal
Tool inputs escape declared roots through traversal, symlink, or normalization gaps.
THR-PATH-01agent tool security
The scan security runs before agents get tools.
Every scan runs in a disposable Firecracker microVM created for your server and destroyed after the verdict. The output is not a warning label. It is a finding with reproduction and release impact.
submit target
single-use microVM
client replay
static rules
sealed verdict
rule catalog
Nine security checks for MCP.
Heuristic rules are labeled as heuristics. High severity findings are treated as release-blocking material until reviewed.
Shell boundary
User input reaches spawned processes as shell strings instead of isolated arguments.
THR-EXEC-04Prompt sink
Untrusted tool output enters model context without delimiters or provenance.
THR-PROMPT-07Secret exposure
Tokens or environment values leak into descriptions, logs, traces, or outputs.
THR-SECRET-02Mutation rate
Write, delete, browser, or network tools can be called repeatedly without guardrails.
THR-RATE-09Dependency risk
Shipped packages include known advisories or unsupported dependency majors.
THR-VER-11Handshake failure
The server starts but never completes MCP initialization inside the sandbox.
THR-HS-03Package launch heuristic
Package metadata points to a command unlikely to expose an MCP server entrypoint.
THR-PKG-05Capability scope heuristic
Tool names imply write, shell, or network access without confirmation boundaries.
THR-SCOPE-08what a finding contains
Enough evidence to fix it, not just fear it.
Each finding ships with the offending line or surface, a reproduction, the observed result, and the fix pattern.
ruleTHR-PATH-01 / HIGH
input{ "path": "../.ssh/id_rsa" }
resultescaped declared root
fixresolve, normalize, compare root, deny symlinks