Labsco
HaseebKhalid1507 logo

Glyph

from HaseebKhalid1507

MCP security scanner โ€” finds tool poisoning, credential leaks, and insecure transports in AI agent configurations.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeNeeds API keys

๐Ÿ”ฎ Glyph โ€” MCP Security Scanner & Runtime Proxy

Read the runes before your agent steps on them.

PyPI License: MIT Python 3.10+ Tests GitHub

Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.

What It Is

Glyph guards your MCP infrastructure through two complementary approaches:

๐Ÿ” Static Analysis (glyph scan) โ€” Deep security scan of MCP configuration files
๐Ÿ›ก๏ธ Runtime Protection (glyph proxy) โ€” Live interception and sanitization of MCP traffic

Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.


Detection Engine

14 Security Rules โ€” 7 static + 7 runtime

Static Rules (Configuration Analysis)

RuleDetectsSeverity
Prompt InjectionInstruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniquesCRITICAL/HIGH
Semantic PoisoningTool descriptions semantically similar to known attacks (ONNX embeddings)HIGH/MEDIUM
Data ExfiltrationHidden data transfers, conversation exfil, external uploadsCRITICAL/HIGH
Credential ExposureHardcoded API keys, tokens, secrets in configsCRITICAL/HIGH
Command InjectionShell execution, reverse shells, command substitutionCRITICAL/HIGH
Tool PoisoningHidden unicode, base64 payloads, HTML obfuscationHIGH
Transport SecurityUnencrypted HTTP transport (not HTTPS)HIGH/MEDIUM

Runtime Rules (Live Traffic Analysis)

RuleDetectsSeverity
ANSI InjectionTerminal manipulation, screen clearing, fake outputHIGH
Response PoisoningPrompt injection in responses, hidden instructions, data exfil commandsCRITICAL/HIGH
State BleedingCredential leaks, PII exposure, cross-tool data contaminationHIGH
Rug PullTool definition changes, new tools added silently, privilege escalationCRITICAL
Tool ShadowingHomoglyph attacks, typosquatting, namespace collisionsHIGH
Cross-Tool CorrelationMulti-step attack chains, reconโ†’exfil patternsHIGH
Anomaly DetectionStatistical outliers, unicode obfuscation, steganographyMEDIUM

Battle-Tested Results

Real-world validation against actual exploits:

โœ… marmelab/mcp-vulnerability โ€” Prompt injection + cross-tool hijacking PoC
โœ… Invariant Labs GitHub MCP โ€” Issue description data exfiltration
โœ… Anthropic Git MCP RCE โ€” Command injection via git config manipulation
โœ… WhatsApp MCP Exfil โ€” Hidden message backup to external endpoint
โœ… ToolHijacker Academic โ€” Biased tool selection manipulation

Detection Stats:

  • 83% detection rate on 23-vector research attack corpus
  • 100% detection rate on real-world CVE patterns
  • 0 false positives on legitimate tool descriptions
  • 197 test cases passing

Not synthetic benchmarks. Real exploits that target real MCP deployments.


Example Output

๐Ÿ”ฎ Glyph v0.3.0 โ€” MCP Security Scanner & Runtime Proxy

Scanning: config.json (3 servers, 12 tools)

โ”โ”โ” Findings โ”โ”โ”

๐Ÿ”ด CRITICAL: Semantic poisoning detected
   Rule: semantic-poisoning (confidence: 0.94)
   Location: tool "helper" in server "utils" 
   Similarity: 94% match to known prompt injection pattern
   Fix: Review tool description for hidden instructions

๐Ÿ”ด CRITICAL: Data exfiltration pattern
   Rule: data-exfiltration
   Location: tool "email_sender" in server "comms"
   Pattern: Hidden BCC to external domain
   Fix: Remove hardcoded recipient addresses

๐ŸŸก HIGH: Hardcoded API key
   Rule: credential-exposure
   Location: server "openai-tools"
   Fix: Use ${OPENAI_API_KEY} environment variable

โ”โ”โ” Summary โ”โ”โ”
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)

How It Compares

FeatureGlyphInvariant mcp-scanCisco mcp-scannerSnyk agent-scan
PrivacyFully localCloud analysisLocalPhone-home
ML AnalysisONNX (local)ProprietaryLLM API requiredCloud
Account RequiredNoNoNoYes
Live Protectionstdio + HTTP/SSEstdio onlystdio onlyConfig only
Detection Rules14 (static + runtime)342
Real-world Validation5 CVE patternsSynthetic onlyUnknownProprietary
Runtime QuarantineYesNoNoNo
Configuration PinningYesNoNoNo

Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  JSON-RPC   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  JSON-RPC   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   Client    โ”‚ โ†โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ†’  โ”‚Glyph Proxy  โ”‚ โ†โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ†’  โ”‚ MCP Server  โ”‚
โ”‚ (Claude AI) โ”‚             โ”‚             โ”‚             โ”‚ (Tools)     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜             โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜             โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                    โ”‚
                            โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                            โ”‚       โ”‚       โ”‚
                    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ” โ”Œโ”€โ”€โ–ผโ”€โ”€โ”€โ” โ”Œโ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                    โ”‚Static    โ”‚ โ”‚Runtimeโ”‚ โ”‚Quarantine โ”‚
                    โ”‚Engine    โ”‚ โ”‚Rules  โ”‚ โ”‚System    โ”‚
                    โ”‚(7 rules) โ”‚ โ”‚(7 rules)โ”‚ โ”‚(SQLite)  โ”‚
                    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Static Engine โ€” Analyze configurations for known vulnerabilities
Runtime Rules โ€” Real-time traffic analysis and threat detection
Quarantine System โ€” Safe storage and review of suspicious responses
ONNX Semantic Analysis โ€” ML-powered intent detection via embeddings


Security Notice

โš ๏ธ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).

# Safe: static configuration analysis  
glyph scan config.json

# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json

# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json

Development

git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v

Project Stats:

  • 10,074 lines of code
  • 197 test cases
  • 83% detection rate on adversarial research corpus
  • 14 detection rules (7 static + 7 runtime)
  • 0 external dependencies for core scanning

Exit Codes

CodeResult
0Clean scan โ€” no findings
1Findings detected
2Critical findings detected

Roadmap

  • Browser Extension โ€” scan MCP configs in Claude Desktop GUI
  • GitHub Action โ€” automated PR scanning for MCP configurations
  • SARIF Output โ€” security tool integration (SonarQube, CodeQL)
  • WebSocket Transport โ€” support for WebSocket-based MCP servers
  • Enterprise Dashboard โ€” centralized security monitoring

Author

Built by Haseeb Khalid โ€” security engineer, agent builder, rune reader.