Glyph
MCP security scanner โ finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.
๐ฎ Glyph โ MCP Security Scanner & Runtime Proxy
Read the runes before your agent steps on them.
Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.
What It Is
Glyph guards your MCP infrastructure through two complementary approaches:
๐ Static Analysis (glyph scan) โ Deep security scan of MCP configuration files
๐ก๏ธ Runtime Protection (glyph proxy) โ Live interception and sanitization of MCP traffic
Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.
Quick Start
# Install
pip install glyph-scan
# Static scan โ analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json
# Runtime protection โ proxy live traffic
glyph baseline create config.json # Create security baseline
glyph proxy config.json --baseline baseline.json
Results in seconds. No cloud API required. No account needed.
Detection Engine
14 Security Rules โ 7 static + 7 runtime
Static Rules (Configuration Analysis)
| Rule | Detects | Severity |
|---|---|---|
| Prompt Injection | Instruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniques | CRITICAL/HIGH |
| Semantic Poisoning | Tool descriptions semantically similar to known attacks (ONNX embeddings) | HIGH/MEDIUM |
| Data Exfiltration | Hidden data transfers, conversation exfil, external uploads | CRITICAL/HIGH |
| Credential Exposure | Hardcoded API keys, tokens, secrets in configs | CRITICAL/HIGH |
| Command Injection | Shell execution, reverse shells, command substitution | CRITICAL/HIGH |
| Tool Poisoning | Hidden unicode, base64 payloads, HTML obfuscation | HIGH |
| Transport Security | Unencrypted HTTP transport (not HTTPS) | HIGH/MEDIUM |
Runtime Rules (Live Traffic Analysis)
| Rule | Detects | Severity |
|---|---|---|
| ANSI Injection | Terminal manipulation, screen clearing, fake output | HIGH |
| Response Poisoning | Prompt injection in responses, hidden instructions, data exfil commands | CRITICAL/HIGH |
| State Bleeding | Credential leaks, PII exposure, cross-tool data contamination | HIGH |
| Rug Pull | Tool definition changes, new tools added silently, privilege escalation | CRITICAL |
| Tool Shadowing | Homoglyph attacks, typosquatting, namespace collisions | HIGH |
| Cross-Tool Correlation | Multi-step attack chains, reconโexfil patterns | HIGH |
| Anomaly Detection | Statistical outliers, unicode obfuscation, steganography | MEDIUM |
Battle-Tested Results
Real-world validation against actual exploits:
โ
marmelab/mcp-vulnerability โ Prompt injection + cross-tool hijacking PoC
โ
Invariant Labs GitHub MCP โ Issue description data exfiltration
โ
Anthropic Git MCP RCE โ Command injection via git config manipulation
โ
WhatsApp MCP Exfil โ Hidden message backup to external endpoint
โ
ToolHijacker Academic โ Biased tool selection manipulation
Detection Stats:
- 83% detection rate on 23-vector research attack corpus
- 100% detection rate on real-world CVE patterns
- 0 false positives on legitimate tool descriptions
- 197 test cases passing
Not synthetic benchmarks. Real exploits that target real MCP deployments.
Usage
Static Scanning
# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json
# JSON output for CI/CD
glyph scan config.json --format json
# Filter by severity
glyph scan config.json --severity critical
# List all detection rules
glyph rules list
Runtime Protection
# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json
# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json
# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>
# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats
Runtime Flow:
- Client connects to Glyph proxy
- Proxy establishes upstream connection to real MCP server
- Proxy scans tool definitions against baseline (rug pull detection)
- Client tool calls โ Proxy โ Security rules โ Server
- Server response โ Proxy โ Security rules + ANSI sanitization โ Client
- Suspicious responses quarantined for review
Example Output
๐ฎ Glyph v0.3.0 โ MCP Security Scanner & Runtime Proxy
Scanning: config.json (3 servers, 12 tools)
โโโ Findings โโโ
๐ด CRITICAL: Semantic poisoning detected
Rule: semantic-poisoning (confidence: 0.94)
Location: tool "helper" in server "utils"
Similarity: 94% match to known prompt injection pattern
Fix: Review tool description for hidden instructions
๐ด CRITICAL: Data exfiltration pattern
Rule: data-exfiltration
Location: tool "email_sender" in server "comms"
Pattern: Hidden BCC to external domain
Fix: Remove hardcoded recipient addresses
๐ก HIGH: Hardcoded API key
Rule: credential-exposure
Location: server "openai-tools"
Fix: Use ${OPENAI_API_KEY} environment variable
โโโ Summary โโโ
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)
How It Compares
| Feature | Glyph | Invariant mcp-scan | Cisco mcp-scanner | Snyk agent-scan |
|---|---|---|---|---|
| Privacy | Fully local | Cloud analysis | Local | Phone-home |
| ML Analysis | ONNX (local) | Proprietary | LLM API required | Cloud |
| Account Required | No | No | No | Yes |
| Live Protection | stdio + HTTP/SSE | stdio only | stdio only | Config only |
| Detection Rules | 14 (static + runtime) | 3 | 4 | 2 |
| Real-world Validation | 5 CVE patterns | Synthetic only | Unknown | Proprietary |
| Runtime Quarantine | Yes | No | No | No |
| Configuration Pinning | Yes | No | No | No |
Architecture
โโโโโโโโโโโโโโโ JSON-RPC โโโโโโโโโโโโโโโ JSON-RPC โโโโโโโโโโโโโโโ
โ Client โ โโโโโโโโโโ โGlyph Proxy โ โโโโโโโโโโ โ MCP Server โ
โ (Claude AI) โ โ โ โ (Tools) โ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ
โโโโโโโโโผโโโโโโโโ
โ โ โ
โโโโโโโโโผโโโ โโโโผโโโโ โโโผโโโโโโโโโโ
โStatic โ โRuntimeโ โQuarantine โ
โEngine โ โRules โ โSystem โ
โ(7 rules) โ โ(7 rules)โ โ(SQLite) โ
โโโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโโโโโ
Static Engine โ Analyze configurations for known vulnerabilities
Runtime Rules โ Real-time traffic analysis and threat detection
Quarantine System โ Safe storage and review of suspicious responses
ONNX Semantic Analysis โ ML-powered intent detection via embeddings
Security Notice
โ ๏ธ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).
# Safe: static configuration analysis
glyph scan config.json
# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json
# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json
Development
git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v
Project Stats:
- 10,074 lines of code
- 197 test cases
- 83% detection rate on adversarial research corpus
- 14 detection rules (7 static + 7 runtime)
- 0 external dependencies for core scanning
Exit Codes
| Code | Result |
|---|---|
0 | Clean scan โ no findings |
1 | Findings detected |
2 | Critical findings detected |
Roadmap
- Browser Extension โ scan MCP configs in Claude Desktop GUI
- GitHub Action โ automated PR scanning for MCP configurations
- SARIF Output โ security tool integration (SonarQube, CodeQL)
- WebSocket Transport โ support for WebSocket-based MCP servers
- Enterprise Dashboard โ centralized security monitoring
Contributing
Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.
Author
Built by Haseeb Khalid โ security engineer, agent builder, rune reader.
License
MIT โ scan freely, secure confidently.
Server Terkait
Scout Monitoring MCP
sponsorPut performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Maven Tools
Access real-time Maven Central intelligence for fast and accurate dependency information.
MCP Code Crosscheck
A server for bias-resistant AI code review using cross-model evaluation.
Tempo MCP Server
An MCP server for querying distributed tracing data from Grafana Tempo.
mcp-of-mcps
MCP of MCPs is a meta-server that merges all your MCP servers into a single smart endpoint.โจIt gives AI agents instant tool discovery, selective schema loading, and massively cheaper execution, so you stop wasting tokens and time. With persistent tool metadata, semantic search, and direct code execution between tools, it turns chaotic multi-server setups into a fast, efficient, hallucination-free workflow.โจIt also automatically analyzes the tools output schemas if not exist and preserves them across sessions for consistent behavior.
PyPI Query MCP Server
A server to query the Python Package Index (PyPI) for package information, dependencies, and compatibility.
cesium-mcp
AI-powered CesiumJS 3D globe control โ 43 tools for camera, entities, layers, animation, and interaction via MCP protocol. Also available as a remote server via Streamable HTTP.
OpenAPI Schema Explorer
Token-efficient access to OpenAPI/Swagger specs via MCP Resources
Graph Tools
An interactive graph analysis toolkit with web visualizations and AI-powered analysis capabilities.
MCP Java Dev Tools
Bridges agentic coding tools and live Java runtime behavior through a lightweight sidecar agent.
MCP My Mac
Exposes local Mac system information through a simple API for AI assistants.