Glyph
MCP security scanner — finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.
🔮 Glyph — MCP Security Scanner & Runtime Proxy
Read the runes before your agent steps on them.
Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.
What It Is
Glyph guards your MCP infrastructure through two complementary approaches:
🔍 Static Analysis (glyph scan) — Deep security scan of MCP configuration files
🛡️ Runtime Protection (glyph proxy) — Live interception and sanitization of MCP traffic
Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.
Quick Start
# Install
pip install glyph-scan
# Static scan — analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json
# Runtime protection — proxy live traffic
glyph baseline create config.json # Create security baseline
glyph proxy config.json --baseline baseline.json
Results in seconds. No cloud API required. No account needed.
Detection Engine
14 Security Rules — 7 static + 7 runtime
Static Rules (Configuration Analysis)
| Rule | Detects | Severity |
|---|---|---|
| Prompt Injection | Instruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniques | CRITICAL/HIGH |
| Semantic Poisoning | Tool descriptions semantically similar to known attacks (ONNX embeddings) | HIGH/MEDIUM |
| Data Exfiltration | Hidden data transfers, conversation exfil, external uploads | CRITICAL/HIGH |
| Credential Exposure | Hardcoded API keys, tokens, secrets in configs | CRITICAL/HIGH |
| Command Injection | Shell execution, reverse shells, command substitution | CRITICAL/HIGH |
| Tool Poisoning | Hidden unicode, base64 payloads, HTML obfuscation | HIGH |
| Transport Security | Unencrypted HTTP transport (not HTTPS) | HIGH/MEDIUM |
Runtime Rules (Live Traffic Analysis)
| Rule | Detects | Severity |
|---|---|---|
| ANSI Injection | Terminal manipulation, screen clearing, fake output | HIGH |
| Response Poisoning | Prompt injection in responses, hidden instructions, data exfil commands | CRITICAL/HIGH |
| State Bleeding | Credential leaks, PII exposure, cross-tool data contamination | HIGH |
| Rug Pull | Tool definition changes, new tools added silently, privilege escalation | CRITICAL |
| Tool Shadowing | Homoglyph attacks, typosquatting, namespace collisions | HIGH |
| Cross-Tool Correlation | Multi-step attack chains, recon→exfil patterns | HIGH |
| Anomaly Detection | Statistical outliers, unicode obfuscation, steganography | MEDIUM |
Battle-Tested Results
Real-world validation against actual exploits:
✅ marmelab/mcp-vulnerability — Prompt injection + cross-tool hijacking PoC
✅ Invariant Labs GitHub MCP — Issue description data exfiltration
✅ Anthropic Git MCP RCE — Command injection via git config manipulation
✅ WhatsApp MCP Exfil — Hidden message backup to external endpoint
✅ ToolHijacker Academic — Biased tool selection manipulation
Detection Stats:
- 83% detection rate on 23-vector research attack corpus
- 100% detection rate on real-world CVE patterns
- 0 false positives on legitimate tool descriptions
- 197 test cases passing
Not synthetic benchmarks. Real exploits that target real MCP deployments.
Usage
Static Scanning
# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json
# JSON output for CI/CD
glyph scan config.json --format json
# Filter by severity
glyph scan config.json --severity critical
# List all detection rules
glyph rules list
Runtime Protection
# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json
# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json
# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>
# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats
Runtime Flow:
- Client connects to Glyph proxy
- Proxy establishes upstream connection to real MCP server
- Proxy scans tool definitions against baseline (rug pull detection)
- Client tool calls → Proxy → Security rules → Server
- Server response → Proxy → Security rules + ANSI sanitization → Client
- Suspicious responses quarantined for review
Example Output
🔮 Glyph v0.3.0 — MCP Security Scanner & Runtime Proxy
Scanning: config.json (3 servers, 12 tools)
━━━ Findings ━━━
🔴 CRITICAL: Semantic poisoning detected
Rule: semantic-poisoning (confidence: 0.94)
Location: tool "helper" in server "utils"
Similarity: 94% match to known prompt injection pattern
Fix: Review tool description for hidden instructions
🔴 CRITICAL: Data exfiltration pattern
Rule: data-exfiltration
Location: tool "email_sender" in server "comms"
Pattern: Hidden BCC to external domain
Fix: Remove hardcoded recipient addresses
🟡 HIGH: Hardcoded API key
Rule: credential-exposure
Location: server "openai-tools"
Fix: Use ${OPENAI_API_KEY} environment variable
━━━ Summary ━━━
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)
How It Compares
| Feature | Glyph | Invariant mcp-scan | Cisco mcp-scanner | Snyk agent-scan |
|---|---|---|---|---|
| Privacy | Fully local | Cloud analysis | Local | Phone-home |
| ML Analysis | ONNX (local) | Proprietary | LLM API required | Cloud |
| Account Required | No | No | No | Yes |
| Live Protection | stdio + HTTP/SSE | stdio only | stdio only | Config only |
| Detection Rules | 14 (static + runtime) | 3 | 4 | 2 |
| Real-world Validation | 5 CVE patterns | Synthetic only | Unknown | Proprietary |
| Runtime Quarantine | Yes | No | No | No |
| Configuration Pinning | Yes | No | No | No |
Architecture
┌─────────────┐ JSON-RPC ┌─────────────┐ JSON-RPC ┌─────────────┐
│ Client │ ←────────→ │Glyph Proxy │ ←────────→ │ MCP Server │
│ (Claude AI) │ │ │ │ (Tools) │
└─────────────┘ └─────────────┘ └─────────────┘
│
┌───────┼───────┐
│ │ │
┌───────▼──┐ ┌──▼───┐ ┌─▼─────────┐
│Static │ │Runtime│ │Quarantine │
│Engine │ │Rules │ │System │
│(7 rules) │ │(7 rules)│ │(SQLite) │
└──────────┘ └───────┘ └───────────┘
Static Engine — Analyze configurations for known vulnerabilities
Runtime Rules — Real-time traffic analysis and threat detection
Quarantine System — Safe storage and review of suspicious responses
ONNX Semantic Analysis — ML-powered intent detection via embeddings
Security Notice
⚠️ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).
# Safe: static configuration analysis
glyph scan config.json
# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json
# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json
Development
git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v
Project Stats:
- 10,074 lines of code
- 197 test cases
- 83% detection rate on adversarial research corpus
- 14 detection rules (7 static + 7 runtime)
- 0 external dependencies for core scanning
Exit Codes
| Code | Result |
|---|---|
0 | Clean scan — no findings |
1 | Findings detected |
2 | Critical findings detected |
Roadmap
- Browser Extension — scan MCP configs in Claude Desktop GUI
- GitHub Action — automated PR scanning for MCP configurations
- SARIF Output — security tool integration (SonarQube, CodeQL)
- WebSocket Transport — support for WebSocket-based MCP servers
- Enterprise Dashboard — centralized security monitoring
Contributing
Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.
Author
Built by Haseeb Khalid — security engineer, agent builder, rune reader.
License
MIT — scan freely, secure confidently.
相關伺服器
Scout Monitoring MCP
贊助Put performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
贊助Access financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Quick Chart MCP Server
A server for creating charts and visualizations using the Quick Chart API.
Unity MCP
An MCP server and plugin for connecting the Unity Editor and games to MCP clients like Claude Desktop.
Swap API
Free token swaps for AI agents. No API keys. Returns executable transaction calldata for 40+ EVM chains.
DocsetMCP
A server for accessing Dash-style documentation sets locally. Requires a local Dash installation.
Aptos NPM MCP
A MCP server for interacting with Aptos NPM packages.
Serena
A coding agent toolkit that provides an LLM with IDE-like capabilities for semantic code retrieval and editing directly in your codebase.
Rails Active MCP
A Ruby gem providing secure Rails console access through MCP for AI agents and development tools.
Ray MCP Server
An MCP server for managing Ray clusters, jobs, and distributed computing workflows.
Makefile MCP Server
Exposes Makefile targets as callable tools for AI assistants.
Moralis Web3 API
Interact with the Moralis Web3 API to access blockchain data across multiple networks through a structured interface.