Runtime behavior monitoring for stdio MCP servers -> catching side effects and attributing them to tool calls #800
Agent-Hellboy
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Pre-submission Checklist
What would you like to share?
Most MCP server testing checks protocol/schema conformance and what a tool returns. But an MCP server is a real process that can shell out, read files, and open sockets — and a malicious or compromised one can do that in response to a tools/call without any of it showing up in the response. I've been exploring observing that at runtime and tying it back to the exact tool call that caused it.
Scope: this mostly targets stdio servers. Stdio is where it fits cleanest today — the fuzzer/client launches the server as a child process, so we get its process group for free, and stdio calls serialize (one tools/call active at a time), which makes per-call attribution exact. HTTP/SSE with concurrent requests is harder and out of scope for now (see question 2).
What I built (sharing for feedback):
Repo: https://github.com/Agent-Hellboy/mcpfz-probe
Attack vectors it surfaces (detection, which is what makes them avoidable — the probe reports, it doesn't sandbox):
All of these can be triggered by a tool implementation that trusts its input, so pairing them with a fuzzer means fuzzed inputs that cause real side effects show up as findings instead of silently passing.
All of these can be triggered by a tool implementation that trusts its input, so pairing them with a fuzzer means fuzzed inputs that cause real side effects show up as findings instead of silently passing.
Questions for the community:
Relevant Links
No response
Beta Was this translation helpful? Give feedback.
All reactions