Glyph
MCP security scanner โ finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.
๐ฎ Glyph โ MCP Security Scanner & Runtime Proxy
Read the runes before your agent steps on them.
Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.
What It Is
Glyph guards your MCP infrastructure through two complementary approaches:
๐ Static Analysis (glyph scan) โ Deep security scan of MCP configuration files
๐ก๏ธ Runtime Protection (glyph proxy) โ Live interception and sanitization of MCP traffic
Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.
Quick Start
# Install
pip install glyph-scan
# Static scan โ analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json
# Runtime protection โ proxy live traffic
glyph baseline create config.json # Create security baseline
glyph proxy config.json --baseline baseline.json
Results in seconds. No cloud API required. No account needed.
Detection Engine
14 Security Rules โ 7 static + 7 runtime
Static Rules (Configuration Analysis)
| Rule | Detects | Severity |
|---|---|---|
| Prompt Injection | Instruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniques | CRITICAL/HIGH |
| Semantic Poisoning | Tool descriptions semantically similar to known attacks (ONNX embeddings) | HIGH/MEDIUM |
| Data Exfiltration | Hidden data transfers, conversation exfil, external uploads | CRITICAL/HIGH |
| Credential Exposure | Hardcoded API keys, tokens, secrets in configs | CRITICAL/HIGH |
| Command Injection | Shell execution, reverse shells, command substitution | CRITICAL/HIGH |
| Tool Poisoning | Hidden unicode, base64 payloads, HTML obfuscation | HIGH |
| Transport Security | Unencrypted HTTP transport (not HTTPS) | HIGH/MEDIUM |
Runtime Rules (Live Traffic Analysis)
| Rule | Detects | Severity |
|---|---|---|
| ANSI Injection | Terminal manipulation, screen clearing, fake output | HIGH |
| Response Poisoning | Prompt injection in responses, hidden instructions, data exfil commands | CRITICAL/HIGH |
| State Bleeding | Credential leaks, PII exposure, cross-tool data contamination | HIGH |
| Rug Pull | Tool definition changes, new tools added silently, privilege escalation | CRITICAL |
| Tool Shadowing | Homoglyph attacks, typosquatting, namespace collisions | HIGH |
| Cross-Tool Correlation | Multi-step attack chains, reconโexfil patterns | HIGH |
| Anomaly Detection | Statistical outliers, unicode obfuscation, steganography | MEDIUM |
Battle-Tested Results
Real-world validation against actual exploits:
โ
marmelab/mcp-vulnerability โ Prompt injection + cross-tool hijacking PoC
โ
Invariant Labs GitHub MCP โ Issue description data exfiltration
โ
Anthropic Git MCP RCE โ Command injection via git config manipulation
โ
WhatsApp MCP Exfil โ Hidden message backup to external endpoint
โ
ToolHijacker Academic โ Biased tool selection manipulation
Detection Stats:
- 83% detection rate on 23-vector research attack corpus
- 100% detection rate on real-world CVE patterns
- 0 false positives on legitimate tool descriptions
- 197 test cases passing
Not synthetic benchmarks. Real exploits that target real MCP deployments.
Usage
Static Scanning
# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json
# JSON output for CI/CD
glyph scan config.json --format json
# Filter by severity
glyph scan config.json --severity critical
# List all detection rules
glyph rules list
Runtime Protection
# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json
# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json
# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>
# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats
Runtime Flow:
- Client connects to Glyph proxy
- Proxy establishes upstream connection to real MCP server
- Proxy scans tool definitions against baseline (rug pull detection)
- Client tool calls โ Proxy โ Security rules โ Server
- Server response โ Proxy โ Security rules + ANSI sanitization โ Client
- Suspicious responses quarantined for review
Example Output
๐ฎ Glyph v0.3.0 โ MCP Security Scanner & Runtime Proxy
Scanning: config.json (3 servers, 12 tools)
โโโ Findings โโโ
๐ด CRITICAL: Semantic poisoning detected
Rule: semantic-poisoning (confidence: 0.94)
Location: tool "helper" in server "utils"
Similarity: 94% match to known prompt injection pattern
Fix: Review tool description for hidden instructions
๐ด CRITICAL: Data exfiltration pattern
Rule: data-exfiltration
Location: tool "email_sender" in server "comms"
Pattern: Hidden BCC to external domain
Fix: Remove hardcoded recipient addresses
๐ก HIGH: Hardcoded API key
Rule: credential-exposure
Location: server "openai-tools"
Fix: Use ${OPENAI_API_KEY} environment variable
โโโ Summary โโโ
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)
How It Compares
| Feature | Glyph | Invariant mcp-scan | Cisco mcp-scanner | Snyk agent-scan |
|---|---|---|---|---|
| Privacy | Fully local | Cloud analysis | Local | Phone-home |
| ML Analysis | ONNX (local) | Proprietary | LLM API required | Cloud |
| Account Required | No | No | No | Yes |
| Live Protection | stdio + HTTP/SSE | stdio only | stdio only | Config only |
| Detection Rules | 14 (static + runtime) | 3 | 4 | 2 |
| Real-world Validation | 5 CVE patterns | Synthetic only | Unknown | Proprietary |
| Runtime Quarantine | Yes | No | No | No |
| Configuration Pinning | Yes | No | No | No |
Architecture
โโโโโโโโโโโโโโโ JSON-RPC โโโโโโโโโโโโโโโ JSON-RPC โโโโโโโโโโโโโโโ
โ Client โ โโโโโโโโโโ โGlyph Proxy โ โโโโโโโโโโ โ MCP Server โ
โ (Claude AI) โ โ โ โ (Tools) โ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ
โโโโโโโโโผโโโโโโโโ
โ โ โ
โโโโโโโโโผโโโ โโโโผโโโโ โโโผโโโโโโโโโโ
โStatic โ โRuntimeโ โQuarantine โ
โEngine โ โRules โ โSystem โ
โ(7 rules) โ โ(7 rules)โ โ(SQLite) โ
โโโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโโโโโ
Static Engine โ Analyze configurations for known vulnerabilities
Runtime Rules โ Real-time traffic analysis and threat detection
Quarantine System โ Safe storage and review of suspicious responses
ONNX Semantic Analysis โ ML-powered intent detection via embeddings
Security Notice
โ ๏ธ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).
# Safe: static configuration analysis
glyph scan config.json
# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json
# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json
Development
git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v
Project Stats:
- 10,074 lines of code
- 197 test cases
- 83% detection rate on adversarial research corpus
- 14 detection rules (7 static + 7 runtime)
- 0 external dependencies for core scanning
Exit Codes
| Code | Result |
|---|---|
0 | Clean scan โ no findings |
1 | Findings detected |
2 | Critical findings detected |
Roadmap
- Browser Extension โ scan MCP configs in Claude Desktop GUI
- GitHub Action โ automated PR scanning for MCP configurations
- SARIF Output โ security tool integration (SonarQube, CodeQL)
- WebSocket Transport โ support for WebSocket-based MCP servers
- Enterprise Dashboard โ centralized security monitoring
Contributing
Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.
Author
Built by Haseeb Khalid โ security engineer, agent builder, rune reader.
License
MIT โ scan freely, secure confidently.
Related Servers
Scout Monitoring MCP
sponsorPut performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
OpenAPI2MCP
Converts OpenAPI specifications into MCP tools, enabling AI clients to interact with external APIs seamlessly.
MCP Java Decompiler Server
Decompile Java class files from file paths, package names, or JAR files using a JavaScript port of the CFR decompiler.
JavaScript Sandbox
Provides a secure JavaScript execution environment for running code snippets.
LastSaaS
SaaS boilerplate / starter kit: comprehensive, Stripe billing, product management, multi-tenant; agentic controls via MCP
Infisical
Manage secrets and environment variables with Infisical's official MCP server.
CocoaPods Package README
Retrieve README files and package information from CocoaPods.
Cashfree MCP Server
Integrate AI tools and agents with Cashfree's Payment Gateway, Payouts, and SecureID APIs.
Nexus MCP Bridge for VSCode
A bridge that connects Claude Desktop to your VSCode workspace, enabling local file system access.
evm-mcp
An MCP server that provides complete access to Ethereum Virtual Machine (EVM) JSON-RPC methods. Works with any EVM-compatible node provider including Infura, Alchemy, QuickNode, local nodes, and more.
Remote MCP Server (Authless)
An example of a remote MCP server without authentication, deployable on Cloudflare Workers.