Glyph

MCP security scanner — finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.

GitHub

🔮 Glyph — MCP Security Scanner & Runtime Proxy

Read the runes before your agent steps on them.

PyPI License: MIT Python 3.10+ Tests GitHub

Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.

What It Is

Glyph guards your MCP infrastructure through two complementary approaches:

🔍 Static Analysis (glyph scan) — Deep security scan of MCP configuration files
🛡️ Runtime Protection (glyph proxy) — Live interception and sanitization of MCP traffic

Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.

Quick Start

# Install
pip install glyph-scan

# Static scan — analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json

# Runtime protection — proxy live traffic
glyph baseline create config.json  # Create security baseline
glyph proxy config.json --baseline baseline.json

Results in seconds. No cloud API required. No account needed.

Detection Engine

14 Security Rules — 7 static + 7 runtime

Static Rules (Configuration Analysis)

RuleDetectsSeverity
Prompt InjectionInstruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniquesCRITICAL/HIGH
Semantic PoisoningTool descriptions semantically similar to known attacks (ONNX embeddings)HIGH/MEDIUM
Data ExfiltrationHidden data transfers, conversation exfil, external uploadsCRITICAL/HIGH
Credential ExposureHardcoded API keys, tokens, secrets in configsCRITICAL/HIGH
Command InjectionShell execution, reverse shells, command substitutionCRITICAL/HIGH
Tool PoisoningHidden unicode, base64 payloads, HTML obfuscationHIGH
Transport SecurityUnencrypted HTTP transport (not HTTPS)HIGH/MEDIUM

Runtime Rules (Live Traffic Analysis)

RuleDetectsSeverity
ANSI InjectionTerminal manipulation, screen clearing, fake outputHIGH
Response PoisoningPrompt injection in responses, hidden instructions, data exfil commandsCRITICAL/HIGH
State BleedingCredential leaks, PII exposure, cross-tool data contaminationHIGH
Rug PullTool definition changes, new tools added silently, privilege escalationCRITICAL
Tool ShadowingHomoglyph attacks, typosquatting, namespace collisionsHIGH
Cross-Tool CorrelationMulti-step attack chains, recon→exfil patternsHIGH
Anomaly DetectionStatistical outliers, unicode obfuscation, steganographyMEDIUM

Battle-Tested Results

Real-world validation against actual exploits:

marmelab/mcp-vulnerability — Prompt injection + cross-tool hijacking PoC
Invariant Labs GitHub MCP — Issue description data exfiltration
Anthropic Git MCP RCE — Command injection via git config manipulation
WhatsApp MCP Exfil — Hidden message backup to external endpoint
ToolHijacker Academic — Biased tool selection manipulation

Detection Stats:

  • 83% detection rate on 23-vector research attack corpus
  • 100% detection rate on real-world CVE patterns
  • 0 false positives on legitimate tool descriptions
  • 197 test cases passing

Not synthetic benchmarks. Real exploits that target real MCP deployments.

Usage

Static Scanning

# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json

# JSON output for CI/CD
glyph scan config.json --format json

# Filter by severity
glyph scan config.json --severity critical

# List all detection rules
glyph rules list

Runtime Protection

# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json

# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json

# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>

# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats

Runtime Flow:

  1. Client connects to Glyph proxy
  2. Proxy establishes upstream connection to real MCP server
  3. Proxy scans tool definitions against baseline (rug pull detection)
  4. Client tool calls → Proxy → Security rules → Server
  5. Server response → Proxy → Security rules + ANSI sanitization → Client
  6. Suspicious responses quarantined for review

Example Output

🔮 Glyph v0.3.0 — MCP Security Scanner & Runtime Proxy

Scanning: config.json (3 servers, 12 tools)

━━━ Findings ━━━

🔴 CRITICAL: Semantic poisoning detected
   Rule: semantic-poisoning (confidence: 0.94)
   Location: tool "helper" in server "utils" 
   Similarity: 94% match to known prompt injection pattern
   Fix: Review tool description for hidden instructions

🔴 CRITICAL: Data exfiltration pattern
   Rule: data-exfiltration
   Location: tool "email_sender" in server "comms"
   Pattern: Hidden BCC to external domain
   Fix: Remove hardcoded recipient addresses

🟡 HIGH: Hardcoded API key
   Rule: credential-exposure
   Location: server "openai-tools"
   Fix: Use ${OPENAI_API_KEY} environment variable

━━━ Summary ━━━
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)

How It Compares

FeatureGlyphInvariant mcp-scanCisco mcp-scannerSnyk agent-scan
PrivacyFully localCloud analysisLocalPhone-home
ML AnalysisONNX (local)ProprietaryLLM API requiredCloud
Account RequiredNoNoNoYes
Live Protectionstdio + HTTP/SSEstdio onlystdio onlyConfig only
Detection Rules14 (static + runtime)342
Real-world Validation5 CVE patternsSynthetic onlyUnknownProprietary
Runtime QuarantineYesNoNoNo
Configuration PinningYesNoNoNo

Architecture

┌─────────────┐  JSON-RPC   ┌─────────────┐  JSON-RPC   ┌─────────────┐
│   Client    │ ←────────→  │Glyph Proxy  │ ←────────→  │ MCP Server  │
│ (Claude AI) │             │             │             │ (Tools)     │
└─────────────┘             └─────────────┘             └─────────────┘
                                    │
                            ┌───────┼───────┐
                            │       │       │
                    ┌───────▼──┐ ┌──▼───┐ ┌─▼─────────┐
                    │Static    │ │Runtime│ │Quarantine │
                    │Engine    │ │Rules  │ │System    │
                    │(7 rules) │ │(7 rules)│ │(SQLite)  │
                    └──────────┘ └───────┘ └───────────┘

Static Engine — Analyze configurations for known vulnerabilities
Runtime Rules — Real-time traffic analysis and threat detection
Quarantine System — Safe storage and review of suspicious responses
ONNX Semantic Analysis — ML-powered intent detection via embeddings

Security Notice

⚠️ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).

# Safe: static configuration analysis  
glyph scan config.json

# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json

# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json

Development

git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v

Project Stats:

  • 10,074 lines of code
  • 197 test cases
  • 83% detection rate on adversarial research corpus
  • 14 detection rules (7 static + 7 runtime)
  • 0 external dependencies for core scanning

Exit Codes

CodeResult
0Clean scan — no findings
1Findings detected
2Critical findings detected

Roadmap

  • Browser Extension — scan MCP configs in Claude Desktop GUI
  • GitHub Action — automated PR scanning for MCP configurations
  • SARIF Output — security tool integration (SonarQube, CodeQL)
  • WebSocket Transport — support for WebSocket-based MCP servers
  • Enterprise Dashboard — centralized security monitoring

Contributing

Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.

Author

Built by Haseeb Khalid — security engineer, agent builder, rune reader.

License

MIT — scan freely, secure confidently.

เซิร์ฟเวอร์ที่เกี่ยวข้อง