Skip to main content
Glama
CSOAI-ORG

meok-mcp-injection-scan-mcp

by CSOAI-ORG
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

list_rules

List all canonical detection rules to audit vulnerability checks before subscribing. See 30+ rules across 5 severity tiers for transparent procurement.

Instructions

List every detection rule in the canonical catalogue. Useful for buyers auditing what we check before subscribing.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault

No arguments

Implementation Reference

  • server.py:528-549 (handler)
    The `list_rules` tool handler function. Decorated with @mcp.tool(), it returns the canonical catalogue of detection rules including total count, severity distribution, and per-rule details (id, severity, category, name, remediation) along with version metadata.
    def list_rules() -> dict:
    """
    List every detection rule in the canonical catalogue. Useful for buyers
    auditing what we check before subscribing.
    """
    sev_counts = Counter(r["severity"] for r in INJECTION_RULES)
    return {
        "total_rules": len(INJECTION_RULES),
        "severity_counts": dict(sev_counts),
        "rules": [
            {
                "id": r["id"],
                "severity": r["severity"],
                "category": r["category"],
                "name": r["name"],
                "remediation": r["remediation"],
            }
            for r in INJECTION_RULES
        ],
        "version": "1.0.0",
        "last_updated": "2026-04-26",
    }
  • server.py:527-527 (registration)
    The `@mcp.tool()` decorator that registers `list_rules` as an MCP tool on the `FastMCP` instance named 'meok-mcp-injection-scan' (defined at line 392).
    @mcp.tool()
  • server.py:103-245 (helper)
    The `INJECTION_RULES` list — the canonical data source consumed by `list_rules`. It contains ~30+ rule dictionaries with id, severity, category, name, pattern, and remediation fields.
    INJECTION_RULES = [
    # === CRITICAL — direct RCE / system-prompt override / credential exfil ===
    {
        "id": "INJ-001",
        "severity": "CRITICAL",
        "category": "tool-poisoning",
        "name": "Hidden 'ignore previous instructions' in tool description",
        "pattern": re.compile(r"ignore\s+(?:all\s+)?(?:previous|prior|above)\s+instructions?", re.I),
        "remediation": "Remove instruction-override language from tool descriptions. Anthropic's April 2026 disclosure showed this pattern triggers RCE in default MCP host configurations.",
    },
    {
        "id": "INJ-002",
        "severity": "CRITICAL",
        "category": "system-prompt-override",
        "name": "'You are now' authority impersonation pattern",
        "pattern": re.compile(r"\byou\s+are\s+now\s+(?:in|a|the|admin|root|developer|maintainer)", re.I),
        "remediation": "Tool descriptions must describe the tool, not redefine the agent. This pattern is the #1 jailbreak vector.",
    },
    {
        "id": "INJ-003",
        "severity": "CRITICAL",
        "category": "credential-exfil",
        "name": "Tool description requests credentials / keys / tokens",
        "pattern": re.compile(r"(?:api[_\-\s]?key|secret|token|password|credential)s?\s+(?:is|are|=|:)\s*['\"]", re.I),
        "remediation": "NEVER hard-code credentials in tool descriptions. NEVER request them from the agent — use the MCP host's secret store.",
    },
    {
        "id": "INJ-004",
        "severity": "CRITICAL",
        "category": "rce",
        "name": "Shell metachars in default parameter values",
        "pattern": re.compile(r"[\$`;|&<>]+\s*(?:rm|curl|wget|nc|sh|bash|exec|eval|chmod|chown)\s", re.I),
        "remediation": "Default parameter values must not contain shell metacharacters. Sanitize at the schema layer.",
    },
    {
        "id": "INJ-005",
        "severity": "CRITICAL",
        "category": "ssrf",
        "name": "file:// or internal-network URL in default parameter",
        "pattern": re.compile(r"(?:file://|http://(?:localhost|127\.0\.0\.1|0\.0\.0\.0|169\.254\.|10\.|172\.(?:1[6-9]|2[0-9]|3[0-1])\.|192\.168\.))", re.I),
        "remediation": "Block internal URLs at the SSRF allowlist. Apr 2026 DockerDash chain pivoted via 169.254.169.254 metadata endpoint.",
    },
    # === HIGH — encoded payloads / nested instructions / supply chain ===
    {
        "id": "INJ-101",
        "severity": "HIGH",
        "category": "encoded-payload",
        "name": "Base64-encoded blob > 64 chars in description",
        "pattern": re.compile(r"[A-Za-z0-9+/=]{64,}"),
        "remediation": "Long base64 blobs in tool descriptions are a known steganography vector. Decode + manually review before deploying.",
    },
    {
        "id": "INJ-102",
        "severity": "HIGH",
        "category": "instruction-injection",
        "name": "Imperative directive aimed at the agent",
        "pattern": re.compile(r"\b(?:execute|run|invoke|call|fetch|download|delete|remove|exfiltrate|send|transmit|email|post|push)\s+(?:the|all|every|any|this|these|that|those)\s+\w+", re.I),
        "remediation": "Tool descriptions describe what the tool does. Imperatives aimed at the agent are an injection vector.",
    },
    {
        "id": "INJ-103",
        "severity": "HIGH",
        "category": "supply-chain",
        "name": "Unverified package import inside tool description",
        "pattern": re.compile(r"pip\s+install\s+[a-z0-9_\-]+|npm\s+install\s+[a-z0-9_\-]+", re.I),
        "remediation": "Tool descriptions that prompt the user/agent to install additional packages bypass the host's supply-chain controls.",
    },
    {
        "id": "INJ-104",
        "severity": "HIGH",
        "category": "data-exfil",
        "name": "Tool description references reading env vars / secrets",
        "pattern": re.compile(r"\b(?:os\.environ|process\.env|getenv|getEnv|System\.Environment|env\[)", re.I),
        "remediation": "Don't reference env-var access in tool descriptions. Centralise secret handling.",
    },
    {
        "id": "INJ-105",
        "severity": "HIGH",
        "category": "tool-shadowing",
        "name": "Tool description claims to replace / hijack another tool",
        "pattern": re.compile(r"\b(?:replaces?|hijacks?|intercepts?|overrides?|shadows?)\s+(?:the|all|any|every)\s+\w+\s+(?:tool|function|call)", re.I),
        "remediation": "Tool shadowing is a known privilege-escalation vector when an MCP host loads multiple servers.",
    },
    # === MEDIUM — social engineering, urgency, weak schemas ===
    {
        "id": "INJ-201",
        "severity": "MEDIUM",
        "category": "social-engineering",
        "name": "Urgency / authority language in description",
        "pattern": re.compile(r"\b(?:urgent|critical|immediately|asap|emergency|mandatory|required|must)\b\s*[!.]?", re.I),
        "remediation": "Tool descriptions should describe behaviour, not pressure the agent. Strip urgency markers.",
    },
    {
        "id": "INJ-202",
        "severity": "MEDIUM",
        "category": "schema-abuse",
        "name": "additionalProperties=true in input schema",
        "pattern": re.compile(r'"additionalProperties"\s*:\s*true', re.I),
        "remediation": "Set additionalProperties=false in JSON schemas — every undeclared field is an injection vector.",
    },
    {
        "id": "INJ-203",
        "severity": "MEDIUM",
        "category": "schema-abuse",
        "name": "Free-text 'string' parameter without maxLength",
        "pattern": re.compile(r'"type"\s*:\s*"string"(?![^}]*"maxLength")', re.I),
        "remediation": "Cap free-text params with maxLength. Unbounded strings are a DoS + storage-stuffing vector.",
    },
    {
        "id": "INJ-204",
        "severity": "MEDIUM",
        "category": "tool-naming",
        "name": "Tool name impersonates a well-known tool",
        "pattern": re.compile(r"\b(?:read_file|write_file|execute|shell|system|admin|root|sudo)\b", re.I),
        "remediation": "Tool naming impersonation breaks user trust in the MCP host's tool list. Rename with a unique prefix.",
    },
    # === LOW — cosmetic / minor tightening ===
    {
        "id": "INJ-301",
        "severity": "LOW",
        "category": "metadata",
        "name": "Description longer than 1,024 chars (host display issue + injection surface)",
        "pattern": "_long_description",  # special handling
        "remediation": "Shorten description. Each extra char is more surface for injected payloads.",
    },
    {
        "id": "INJ-302",
        "severity": "LOW",
        "category": "metadata",
        "name": "Description contains zero-width / control chars",
        "pattern": re.compile(r"[\u200B-\u200F\u202A-\u202E\uFEFF\u00AD]"),
        "remediation": "Strip zero-width and bidi-override chars from tool descriptions. Anthropic's April 2026 PoC abused U+202E.",
    },
]


def _scan_text(text: str) -> list[dict]:
    """Run every rule against a chunk of text. Returns list of finding dicts."""
    findings: list[dict] = []
    if not text:
        return findings
    for rule in INJECTION_RULES:
        pat = rule["pattern"]

Tool Definition Quality

A4.2/5.0
Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided; the description implies a read-only operation (listing) with no side effects, but lacks details on pagination, format, or behavior with an empty catalogue.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Two concise sentences that are front-loaded with the primary action, with no extraneous information.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Despite no output schema, the tool's simplicity (list all rules) and the given usage context make it fairly complete, though return details (fields, ordering) are absent.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

There are no parameters, so schema coverage is trivially 100%. The description does not need to add parameter details, earning the baseline score of 4.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'List every detection rule in the canonical catalogue' with a specific verb and resource, and it is distinct from sibling tools like audit_tool_descriptions or pricing.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description includes 'Useful for buyers auditing what we check before subscribing', which provides a clear context for when to use the tool, though no explicit when-not-to-use or alternatives are given.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/CSOAI-ORG/meok-mcp-injection-scan-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server