Glyph
MCP security scanner — finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.
🔮 Glyph — MCP Security Scanner & Runtime Proxy
Read the runes before your agent steps on them.
Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.
What It Is
Glyph guards your MCP infrastructure through two complementary approaches:
🔍 Static Analysis (glyph scan) — Deep security scan of MCP configuration files
🛡️ Runtime Protection (glyph proxy) — Live interception and sanitization of MCP traffic
Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.
Quick Start
# Install
pip install glyph-scan
# Static scan — analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json
# Runtime protection — proxy live traffic
glyph baseline create config.json # Create security baseline
glyph proxy config.json --baseline baseline.json
Results in seconds. No cloud API required. No account needed.
Detection Engine
14 Security Rules — 7 static + 7 runtime
Static Rules (Configuration Analysis)
| Rule | Detects | Severity |
|---|---|---|
| Prompt Injection | Instruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniques | CRITICAL/HIGH |
| Semantic Poisoning | Tool descriptions semantically similar to known attacks (ONNX embeddings) | HIGH/MEDIUM |
| Data Exfiltration | Hidden data transfers, conversation exfil, external uploads | CRITICAL/HIGH |
| Credential Exposure | Hardcoded API keys, tokens, secrets in configs | CRITICAL/HIGH |
| Command Injection | Shell execution, reverse shells, command substitution | CRITICAL/HIGH |
| Tool Poisoning | Hidden unicode, base64 payloads, HTML obfuscation | HIGH |
| Transport Security | Unencrypted HTTP transport (not HTTPS) | HIGH/MEDIUM |
Runtime Rules (Live Traffic Analysis)
| Rule | Detects | Severity |
|---|---|---|
| ANSI Injection | Terminal manipulation, screen clearing, fake output | HIGH |
| Response Poisoning | Prompt injection in responses, hidden instructions, data exfil commands | CRITICAL/HIGH |
| State Bleeding | Credential leaks, PII exposure, cross-tool data contamination | HIGH |
| Rug Pull | Tool definition changes, new tools added silently, privilege escalation | CRITICAL |
| Tool Shadowing | Homoglyph attacks, typosquatting, namespace collisions | HIGH |
| Cross-Tool Correlation | Multi-step attack chains, recon→exfil patterns | HIGH |
| Anomaly Detection | Statistical outliers, unicode obfuscation, steganography | MEDIUM |
Battle-Tested Results
Real-world validation against actual exploits:
✅ marmelab/mcp-vulnerability — Prompt injection + cross-tool hijacking PoC
✅ Invariant Labs GitHub MCP — Issue description data exfiltration
✅ Anthropic Git MCP RCE — Command injection via git config manipulation
✅ WhatsApp MCP Exfil — Hidden message backup to external endpoint
✅ ToolHijacker Academic — Biased tool selection manipulation
Detection Stats:
- 83% detection rate on 23-vector research attack corpus
- 100% detection rate on real-world CVE patterns
- 0 false positives on legitimate tool descriptions
- 197 test cases passing
Not synthetic benchmarks. Real exploits that target real MCP deployments.
Usage
Static Scanning
# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json
# JSON output for CI/CD
glyph scan config.json --format json
# Filter by severity
glyph scan config.json --severity critical
# List all detection rules
glyph rules list
Runtime Protection
# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json
# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json
# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>
# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats
Runtime Flow:
- Client connects to Glyph proxy
- Proxy establishes upstream connection to real MCP server
- Proxy scans tool definitions against baseline (rug pull detection)
- Client tool calls → Proxy → Security rules → Server
- Server response → Proxy → Security rules + ANSI sanitization → Client
- Suspicious responses quarantined for review
Example Output
🔮 Glyph v0.3.0 — MCP Security Scanner & Runtime Proxy
Scanning: config.json (3 servers, 12 tools)
━━━ Findings ━━━
🔴 CRITICAL: Semantic poisoning detected
Rule: semantic-poisoning (confidence: 0.94)
Location: tool "helper" in server "utils"
Similarity: 94% match to known prompt injection pattern
Fix: Review tool description for hidden instructions
🔴 CRITICAL: Data exfiltration pattern
Rule: data-exfiltration
Location: tool "email_sender" in server "comms"
Pattern: Hidden BCC to external domain
Fix: Remove hardcoded recipient addresses
🟡 HIGH: Hardcoded API key
Rule: credential-exposure
Location: server "openai-tools"
Fix: Use ${OPENAI_API_KEY} environment variable
━━━ Summary ━━━
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)
How It Compares
| Feature | Glyph | Invariant mcp-scan | Cisco mcp-scanner | Snyk agent-scan |
|---|---|---|---|---|
| Privacy | Fully local | Cloud analysis | Local | Phone-home |
| ML Analysis | ONNX (local) | Proprietary | LLM API required | Cloud |
| Account Required | No | No | No | Yes |
| Live Protection | stdio + HTTP/SSE | stdio only | stdio only | Config only |
| Detection Rules | 14 (static + runtime) | 3 | 4 | 2 |
| Real-world Validation | 5 CVE patterns | Synthetic only | Unknown | Proprietary |
| Runtime Quarantine | Yes | No | No | No |
| Configuration Pinning | Yes | No | No | No |
Architecture
┌─────────────┐ JSON-RPC ┌─────────────┐ JSON-RPC ┌─────────────┐
│ Client │ ←────────→ │Glyph Proxy │ ←────────→ │ MCP Server │
│ (Claude AI) │ │ │ │ (Tools) │
└─────────────┘ └─────────────┘ └─────────────┘
│
┌───────┼───────┐
│ │ │
┌───────▼──┐ ┌──▼───┐ ┌─▼─────────┐
│Static │ │Runtime│ │Quarantine │
│Engine │ │Rules │ │System │
│(7 rules) │ │(7 rules)│ │(SQLite) │
└──────────┘ └───────┘ └───────────┘
Static Engine — Analyze configurations for known vulnerabilities
Runtime Rules — Real-time traffic analysis and threat detection
Quarantine System — Safe storage and review of suspicious responses
ONNX Semantic Analysis — ML-powered intent detection via embeddings
Security Notice
⚠️ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).
# Safe: static configuration analysis
glyph scan config.json
# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json
# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json
Development
git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v
Project Stats:
- 10,074 lines of code
- 197 test cases
- 83% detection rate on adversarial research corpus
- 14 detection rules (7 static + 7 runtime)
- 0 external dependencies for core scanning
Exit Codes
| Code | Result |
|---|---|
0 | Clean scan — no findings |
1 | Findings detected |
2 | Critical findings detected |
Roadmap
- Browser Extension — scan MCP configs in Claude Desktop GUI
- GitHub Action — automated PR scanning for MCP configurations
- SARIF Output — security tool integration (SonarQube, CodeQL)
- WebSocket Transport — support for WebSocket-based MCP servers
- Enterprise Dashboard — centralized security monitoring
Contributing
Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.
Author
Built by Haseeb Khalid — security engineer, agent builder, rune reader.
License
MIT — scan freely, secure confidently.
관련 서버
Scout Monitoring MCP
스폰서Put performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
스폰서Access financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Everything MCP Server
A test server that demonstrates all features of the MCP protocol, including prompts, tools, resources, and sampling.
Remote MCP Server (Authless)
An example of a remote MCP server deployable on Cloudflare Workers without authentication.
MCPatterns
A server for storing and retrieving personalized coding patterns from a local JSONL file.
clipboard-mcp
Cross-platform MCP server for system clipboard access. Three tools: get_clipboard, set_clipboard, watch_clipboard. Single Rust binary, zero runtime deps.
HeyBeauty
Perform virtual try-ons using the HeyBeauty API.
HandMirrorMcp
A Model Context Protocol (MCP) server for .NET assembly and NuGet package inspection
TUUI - Tool Unitary User Interface
A desktop MCP client for tool integration and cross-vendor LLM API orchestration.
Interactive Feedback MCP
An MCP server for AI-assisted development tools like Cursor and Claude, supporting interactive feedback workflows with AI.
ENC Charts MCP Server
Programmatically access and parse NOAA Electronic Navigational Charts (ENC) in S-57 format.
claude-session-continuity-mcp
Zero-config session continuity for Claude Code. Auto-captures context via Claude Hooks, provides 24 tools for memory, tasks, solutions, and knowledge graph. Multilingual semantic search (94+ languages).