Cyber For AI Notes

[Lecture] MCP Security

MCP Architecture. Threats associated with MCP. Malicious MCP Servers.

June 20, 2026

Model Context Protocol (MCP)

Architecture

  • Host — the AI application itself (e.g. Claude Desktop).
  • Client — a component within the host that handles communication via the MCP protocol.
  • Server — exposes tools and data from external sessions to the host.

Three Primitives Servers Can Expose

  • Tools — executable actions such as file operations, API calls, and database queries.
  • Resources — readable content such as file contents and data sources.
  • Prompts — reusable templates for structured interaction with the language model.
# Pseudo Code — MCP Client Initialisation
async with stdio_client(server_config) as (read, write):
    async with ClientSession(read, write) as session:
        init_response = await session.initialize()
        if init_response.capabilities.tools:
            app.register_mcp_server(session, supports_tools=True)
        app.set_server_ready(session)

MCP Security Risks

Authorization is AI-Mediated

  • The AI application holds the credential, and the AI itself decides when to invoke a tool — user approval becomes UX-dependent rather than enforced.
  • Once connected to an MCP server, the connection is already established and active; there is no per-action authorisation gate by default.

Local MCP Servers are Arbitrary Code Execution

  • A local MCP server is effectively arbitrary code execution with a friendly name — it has direct access to the endpoint it runs on.
  • MCP security is fundamentally a governance problem, not just a configuration one.

MCP Governance Controls

What Good Governance Looks Like

  • Run MCP servers in a sandbox environment with no local system access and no access to secrets or API credentials.
  • Maintain a policy that only allows approved MCP servers and providers.
  • Review the approved server list every few months to remove stale or unnecessary connections.
  • Use MCP Inspector to audit and inspect MCP server behaviour during development and testing.

Pickle is Code Execution, Not a Data Format

Why Pickle Files Are Dangerous

  • Pickle is not a safe data format — it is code execution. Any model that triggers REDUCE with attacker-controlled callables can execute arbitrary code during loading, before inference, before validation, and without any explicit user action.
  • Safe ML pipelines treat model files as untrusted binaries, not data. Never assume a downloaded model file is safe to load directly.

Safe Model Loading Practices

  • Always download models from a trusted source.
  • Before loading, scan the model file using modelscan and picklescan.
  • Run local models inside a sandbox environment.
picklescan filename
modelscan filename
./run_sandboxed.sh models/modelname

Scanning Tools

PickleScan

  • Built by Hugging Face specifically for Python's pickle ecosystem, targeting .pkl, .bin, .pt, and standard PyTorch archive wrappers.
  • Optimised for repository platforms and rapid triage — it is widely used as an automatic initial check when developers upload new models to the Hugging Face Hub.

ModelScan

  • Developed by Protect AI as a multi-format framework scanner. It handles Python pickles as well as non-pickle formats including TensorFlow SavedModel, Keras .h5, NumPy .npy, Sklearn, and XGBoost.
  • Built with enterprise DevSecOps pipelines in mind — integrates into Git Actions or automated pipelines as a flexible Python SDK or CLI tool, outputting rich machine-readable JSON reports.

Cross-Site Scripting (XSS) in AI Contexts

How XSS Arises from Model Output

  • XSS occurs when untrusted data is included in a web page without proper validation or escaping, allowing malicious scripts to execute in the victim's browser.
  • When a model generates HTML or code that is rendered directly in a webpage, that output becomes an XSS vector.
  • Users can also be phished by copying content from the internet that contains malicious HTML or Markdown, which is then saved into a personal database and later rendered.

Mitigations

  • Sanitise all HTML before rendering it in the browser.
  • Treat all model output as untrusted — validate and escape it before it reaches the frontend.