Security Guides

Common vulnerabilities in MCP servers:

• Unrestricted shell execution (`shell_exec`, `eval`)

• Path traversal in file operations

• Missing input validation on tool parameters

• No rate limiting on expensive operations

• Hardcoded secrets in code

Best practices:

• Sandbox all shell/exec operations

• Validate and sanitize all file paths

• Use allowlists for permitted operations

• Implement rate limiting per-user/session

• Use environment variables for secrets

Attack vectors:

• Direct injection in user input

• Jailbreaks (DAN, Developer Mode)

• Indirect injection via external data

• Multi-turn gradual manipulation

Defenses:

• Separate system prompts from user content

• Use delimiters and clear boundaries

• Filter outputs for sensitive data

• Implement content classification

• Regularly test with injection payloads

Principle of least privilege:

• Only expose necessary functionality

• Scope permissions as narrowly as possible

• Require explicit confirmation for destructive actions

Input validation:

• Define strict schemas for all parameters

• Reject unexpected fields

• Validate types, ranges, and formats

• Sanitize strings before use in commands/queries

Audit logging:

• Log all tool invocations

• Include user context and parameters

• Monitor for anomalous patterns

LLM01 - Prompt Injection: Manipulating LLM via crafted inputs

LLM02 - Insecure Output: XSS/injection from LLM responses

LLM03 - Training Data Poisoning: Corrupted training data

LLM04 - Model DoS: Resource exhaustion attacks

LLM05 - Supply Chain: Vulnerable dependencies

LLM06 - Sensitive Info Disclosure: Leaking secrets/PII

LLM07 - Insecure Plugin Design: Vulnerable tool implementations

LLM08 - Excessive Agency: Overprivileged autonomous actions

LLM09 - Overreliance: Trusting LLM output without verification

LLM10 - Model Theft: Extracting model weights/behavior

Manta covers LLM01, 02, 05, 06, 07, and 08 with full scanning.