Capability · Supply chain
Catch the over-permissioned
MCP server before it ships
MCP servers extend a coding agent's reach to your files, shells and APIs. The guard flags the shell-launched, broadly-mounted and over-scoped ones — getting ahead of the fastest-growing risk in AI-assisted development.
❯ cdxai mcp scan scanning 4 configured MCP servers… ✓ github stdio scope: repo ok ✓ postgres stdio scope: read-only ok ✗ filesystem stdio mount: / [HIGH] reason: broadly-mounted — can read anything ✗ tools-helper shell-launched [HIGH] reason: spawned via /bin/sh -c — opaque 2 findings → console issues (severity-scored) no server payloads leave the device
The risk
A new dependency risk, with no review
An MCP server is third-party code that runs with the agent's reach. Installing one is a one-line config change — with none of the scrutiny a normal dependency gets.
Shell-launched servers
A tool-server started through a raw shell command can do far more than its advertised purpose — and hides what it actually runs.
Broad mounts
A server mounted at / or your home directory can read anything the agent can — a wide-open path to secrets and source.
Over-permissioned scope
Servers granted more capability than the task needs become a standing liability the moment they're compromised or misused.
Mechanics
How MCP risk detection works
Read the configs
Building on the dev-machine inventory, the guard parses every MCP server configuration on the device — how it launches and what it can touch.
Evaluate the risk
Each server is checked against risk heuristics: shell-launch, mount breadth, and permission scope versus its declared purpose.
Flag & explain
Risky servers are surfaced with the specific reason — shell-launched, broadly-mounted or over-permissioned — not just a yes/no.
Route to the Console
Findings become severity-scored Console issues so security can triage the agentic supply chain alongside everything else.
Inside the capability
What the guard flags
Concrete, explainable MCP risk signals — informed by real-world analysis of how tool-servers go wrong.
Shell-launched
Servers spawned via a shell, where the real command is obscured and arbitrary execution is one edit away.
Broadly-mounted
Servers with filesystem access far wider than the job requires — root, home, or whole-repo mounts.
Over-permissioned
Servers handed more scope (write, network, credentials) than their stated function needs.
Explainable findings
Every flag names the specific risk and the server, so triage is fast and the fix is obvious.
Inventory-correlated
Tied to the device and developer from shadow-AI discovery — you see who's running what, where.
Pairs with inspection
At runtime, action-authz can also gate which MCP servers a tool call may invoke — detection plus enforcement.
Outcomes
What you get
- The agentic supply chain treated like a real dependency surface
- Over-permissioned and shell-launched servers flagged before they cause harm
- Clear, explainable reasons for every MCP finding
- Severity-scored Console issues for triage and evidence
- Correlation back to the developer and device that configured it
- A bridge from discovery to runtime enforcement via action-authz
Ready to see your graph?
Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.
Book a Demo