security scan
MCP servers sit near local files, credentials, shells, and model context. Throne turns that surface into findings a release process can act on: severity, line, reproduction, and fix.
HIGH
Parameters escape the declared root through traversal, symlink, or path normalization gaps.
read_file({ "path": "../.ssh/id_rsa" })const safe = path.resolve(root, input)
if (!safe.startsWith(root)) throw denied()HIGH
User input reaches a spawned process as a shell string instead of isolated arguments.
exec(`git show ${ref}`)spawn("git", ["show", ref], { shell: false })MEDIUM
Tool output enters the model context without delimiter guards, role separation, or provenance.
return fileContentsreturn { source, content, untrusted: true }MEDIUM
Tokens or environment values are echoed into descriptions, logs, traces, or tool output.
description: `using ${process.env.API_KEY}`description: "uses the configured API token"LOW
Write, delete, network, or payment tools can be called repeatedly with no limit or confirmation.
delete_file({ path })guardMutation(user, "delete_file", path)LOW
The shipped package includes a dependency with a known advisory or unsupported major version.
"glob": "7.1.6"npm audit signatures
npm update globwhat ships in the finding