Research Paper: A Layered Risk and Controls Framework for Prompt Injection
Ten-layer decomposition of the enterprise AI tool execution path with threats, controls, and published efficacy at each layer.
Security-Research
mcp-recon: A Reconnaissance Scanner for MCP Servers
An open-source CLI that fingerprints Model Context Protocol servers and flags behavior patterns associated with publicly disclosed vulnerability classes. Think nmap for MCP.
Zomato MCP: OAuth Scope Parameter Silently Rewritten, Not Enforced
The OAuth server fronting Zomato's MCP endpoint rewrites the scope request and issues tokens labeled 'offline openid' that nonetheless call every MCP tool, including checkout_cart. The advertised mcp:tools / mcp:resources / mcp:prompts scopes are never enforced at the application layer.
CVE-Dedup-Checker: Parallel Duplicate Checks Across Free Vulnerability Databases
An open-source CLI that queries NVD, OSV, GitHub Advisories, WPScan, Patchstack, CISA KEV, and Exploit-DB in parallel so you can check for duplicate findings before submitting a CVE.
Claude Code Finding 5: Permission Deny Bypass via Script Write and Execute
Claude Code's Bash permission deny rules can be completely bypassed by writing denied commands into a script file and executing it. The parser evaluates only the script path, not its contents. Five explicitly denied commands executed and exfiltrated data to an external endpoint.
Windsurf Finding 2: Indirect Prompt Injection and Credential Exfiltration via GitHub Gists
How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with …
Windsurf Finding 1: Overly Permissive IDE Agent Bypasses Auto Execution Controls
Windsurf’s Cascade agent reads and writes files outside the workspace with zero confirmation, even with Auto Execution set to Disabled. The review prompt on writes is …
Research Paper: Trust Boundary Failures in AI Coding Agents
Empirical analysis of MCP configuration attacks in Claude Code with enterprise defensive architecture recommendations.
Enterprise Risk Assessment: Claude Desktop and Cowork Security
Comprehensive security risk assessment for organizations deploying Claude Desktop and Cowork in regulated environments, covering publicly disclosed vulnerabilities and independent …
Claude Code Finding 4: Remote Control Session Hijacking via Missing Per-Session Authentication
The Claude Code remote-control session events endpoint lacks per-session authentication, enabling invisible remote command execution from any machine on the internet.
Claude Code Finding 3: MCP Tool Confirmation Prompt Misrepresentation Enables Arbitrary Code Execution
A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve a file read while the server silently executes system commands.
Claude Code Finding 2: MCP Blanket Trust Escalation via enableAllProjectMcpServers
How the 'Use this and all future MCP servers' option grants permanent, unbounded trust to arbitrary MCP server definitions added after the initial consent.
Claude Code Finding 1: Silent Command Execution via .mcp.json Trust Model
How a one-time trust decision in Claude Code enables silent arbitrary command execution when .mcp.json is modified after initial approval.