Glyph
MCP security scanner โ finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.
๐ฎ Glyph โ MCP Security Scanner & Runtime Proxy
Read the runes before your agent steps on them.
Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.
What It Is
Glyph guards your MCP infrastructure through two complementary approaches:
๐ Static Analysis (glyph scan) โ Deep security scan of MCP configuration files
๐ก๏ธ Runtime Protection (glyph proxy) โ Live interception and sanitization of MCP traffic
Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.
Quick Start
# Install
pip install glyph-scan
# Static scan โ analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json
# Runtime protection โ proxy live traffic
glyph baseline create config.json # Create security baseline
glyph proxy config.json --baseline baseline.json
Results in seconds. No cloud API required. No account needed.
Detection Engine
14 Security Rules โ 7 static + 7 runtime
Static Rules (Configuration Analysis)
| Rule | Detects | Severity |
|---|---|---|
| Prompt Injection | Instruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniques | CRITICAL/HIGH |
| Semantic Poisoning | Tool descriptions semantically similar to known attacks (ONNX embeddings) | HIGH/MEDIUM |
| Data Exfiltration | Hidden data transfers, conversation exfil, external uploads | CRITICAL/HIGH |
| Credential Exposure | Hardcoded API keys, tokens, secrets in configs | CRITICAL/HIGH |
| Command Injection | Shell execution, reverse shells, command substitution | CRITICAL/HIGH |
| Tool Poisoning | Hidden unicode, base64 payloads, HTML obfuscation | HIGH |
| Transport Security | Unencrypted HTTP transport (not HTTPS) | HIGH/MEDIUM |
Runtime Rules (Live Traffic Analysis)
| Rule | Detects | Severity |
|---|---|---|
| ANSI Injection | Terminal manipulation, screen clearing, fake output | HIGH |
| Response Poisoning | Prompt injection in responses, hidden instructions, data exfil commands | CRITICAL/HIGH |
| State Bleeding | Credential leaks, PII exposure, cross-tool data contamination | HIGH |
| Rug Pull | Tool definition changes, new tools added silently, privilege escalation | CRITICAL |
| Tool Shadowing | Homoglyph attacks, typosquatting, namespace collisions | HIGH |
| Cross-Tool Correlation | Multi-step attack chains, reconโexfil patterns | HIGH |
| Anomaly Detection | Statistical outliers, unicode obfuscation, steganography | MEDIUM |
Battle-Tested Results
Real-world validation against actual exploits:
โ
marmelab/mcp-vulnerability โ Prompt injection + cross-tool hijacking PoC
โ
Invariant Labs GitHub MCP โ Issue description data exfiltration
โ
Anthropic Git MCP RCE โ Command injection via git config manipulation
โ
WhatsApp MCP Exfil โ Hidden message backup to external endpoint
โ
ToolHijacker Academic โ Biased tool selection manipulation
Detection Stats:
- 83% detection rate on 23-vector research attack corpus
- 100% detection rate on real-world CVE patterns
- 0 false positives on legitimate tool descriptions
- 197 test cases passing
Not synthetic benchmarks. Real exploits that target real MCP deployments.
Usage
Static Scanning
# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json
# JSON output for CI/CD
glyph scan config.json --format json
# Filter by severity
glyph scan config.json --severity critical
# List all detection rules
glyph rules list
Runtime Protection
# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json
# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json
# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>
# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats
Runtime Flow:
- Client connects to Glyph proxy
- Proxy establishes upstream connection to real MCP server
- Proxy scans tool definitions against baseline (rug pull detection)
- Client tool calls โ Proxy โ Security rules โ Server
- Server response โ Proxy โ Security rules + ANSI sanitization โ Client
- Suspicious responses quarantined for review
Example Output
๐ฎ Glyph v0.3.0 โ MCP Security Scanner & Runtime Proxy
Scanning: config.json (3 servers, 12 tools)
โโโ Findings โโโ
๐ด CRITICAL: Semantic poisoning detected
Rule: semantic-poisoning (confidence: 0.94)
Location: tool "helper" in server "utils"
Similarity: 94% match to known prompt injection pattern
Fix: Review tool description for hidden instructions
๐ด CRITICAL: Data exfiltration pattern
Rule: data-exfiltration
Location: tool "email_sender" in server "comms"
Pattern: Hidden BCC to external domain
Fix: Remove hardcoded recipient addresses
๐ก HIGH: Hardcoded API key
Rule: credential-exposure
Location: server "openai-tools"
Fix: Use ${OPENAI_API_KEY} environment variable
โโโ Summary โโโ
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)
How It Compares
| Feature | Glyph | Invariant mcp-scan | Cisco mcp-scanner | Snyk agent-scan |
|---|---|---|---|---|
| Privacy | Fully local | Cloud analysis | Local | Phone-home |
| ML Analysis | ONNX (local) | Proprietary | LLM API required | Cloud |
| Account Required | No | No | No | Yes |
| Live Protection | stdio + HTTP/SSE | stdio only | stdio only | Config only |
| Detection Rules | 14 (static + runtime) | 3 | 4 | 2 |
| Real-world Validation | 5 CVE patterns | Synthetic only | Unknown | Proprietary |
| Runtime Quarantine | Yes | No | No | No |
| Configuration Pinning | Yes | No | No | No |
Architecture
โโโโโโโโโโโโโโโ JSON-RPC โโโโโโโโโโโโโโโ JSON-RPC โโโโโโโโโโโโโโโ
โ Client โ โโโโโโโโโโ โGlyph Proxy โ โโโโโโโโโโ โ MCP Server โ
โ (Claude AI) โ โ โ โ (Tools) โ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ
โโโโโโโโโผโโโโโโโโ
โ โ โ
โโโโโโโโโผโโโ โโโโผโโโโ โโโผโโโโโโโโโโ
โStatic โ โRuntimeโ โQuarantine โ
โEngine โ โRules โ โSystem โ
โ(7 rules) โ โ(7 rules)โ โ(SQLite) โ
โโโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโโโโโ
Static Engine โ Analyze configurations for known vulnerabilities
Runtime Rules โ Real-time traffic analysis and threat detection
Quarantine System โ Safe storage and review of suspicious responses
ONNX Semantic Analysis โ ML-powered intent detection via embeddings
Security Notice
โ ๏ธ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).
# Safe: static configuration analysis
glyph scan config.json
# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json
# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json
Development
git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v
Project Stats:
- 10,074 lines of code
- 197 test cases
- 83% detection rate on adversarial research corpus
- 14 detection rules (7 static + 7 runtime)
- 0 external dependencies for core scanning
Exit Codes
| Code | Result |
|---|---|
0 | Clean scan โ no findings |
1 | Findings detected |
2 | Critical findings detected |
Roadmap
- Browser Extension โ scan MCP configs in Claude Desktop GUI
- GitHub Action โ automated PR scanning for MCP configurations
- SARIF Output โ security tool integration (SonarQube, CodeQL)
- WebSocket Transport โ support for WebSocket-based MCP servers
- Enterprise Dashboard โ centralized security monitoring
Contributing
Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.
Author
Built by Haseeb Khalid โ security engineer, agent builder, rune reader.
License
MIT โ scan freely, secure confidently.
Related Servers
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Kestra Python MCP Server
A Python implementation of a Model Context Protocol server for interacting with Kestra.
VibeLogin MCP
Add authentication to your app - no code, no config, never leave your IDE
Cargo MCP Server
Tools for managing Rust projects using the cargo command-line tool.
DeepADB
The deepest Android Debug Bridge MCP server โ 147 tools from UI to baseband.
Better Auth
Enterprise-grade authentication with secure credential management, multi-protocol support, and real-time threat detection.
MCP Docs Provider
Provides documentation context to LLMs from local markdown files via MCP.
Kubernetes Port Forward โ MCP Server
MCP server that provides tools for managing Kubernetes port-forwarding sessions.
Obsidian Claude Code
An Obsidian plugin that integrates Claude Code into your vaults via an MCP server.
MCP Proxy
A proxy server for MCP requests, supporting SSE and stdio transports.
SJ RedM MCP Server
A versatile MCP server for RedM development, providing access to RDR3 discoveries, framework documentation, native functions, and database operations.