Show HN: MCP Security Suite

Hacker News (score: 18)

Found: August 14, 2025

ID: 861

Description

Other

Show HN: MCP Security Suite Hi HN!

We kept seeing devs get pwned through MCP tools in ways that security scanners completely miss. So we built an open-source analyzer to catch these attacks. Our first OSS by Mighty team.

The problem: At Defcon, we saw MCP exploits with 100% success rate against Claude and Llama. Three attack patterns:

Hidden Unicode in "error messages" - Paste a colleague's error into Claude, your SSH keys get exfiltrated Trusted tool updates - That database tool you've used for months? Last week's update added credential theft Tool redefinition - Malicious tool redefines "deploy to prod" to run attacker's script

Traditional scanners (CodeQL, SonarQube) catch <15% of these. They're looking for SQLi, not prompt injections hidden in tool descriptions.

What we built: git clone https://github.com/NineSunsInc/mighty-security

python analyzers/comprehensive_mcp_analyzer.py /path/to/your/mcp/tool

Scans for prompt injection, credential exfil, suspicious updates, tool shadowing. Runtime wrapper adds <10ms overhead. Fully local, no telemetry.

Why this matters: 43% of MCP tools have command injection vulns. GitHub's own MCP server was exploitable. We found Fortune 500s running database-connected MCP tools that hadn't been audited since installation. We went from paranoid code review to "AI said it works" in 18 months. The magic is real, but so are the vulnerabilities.

Demo: https://www.loom.com/share/e830c56d39254a788776358c5b03fdc3

GitHub: https://github.com/NineSunsInc/mighty-security

Would love feedback - what MCP security issues have you seen?

More from Hacker

Show HN: Tusk Drift – Turn production traffic into API tests

Show HN: Tusk Drift – Turn production traffic into API tests Hi HN! In the past few months my team and I have been working on Tusk Drift, a system that records real API traffic from your service, then replays those requests as deterministic tests. Outbound I/O (databases, HTTP calls, etc.) gets automatically mocked using the recorded data.Problem we're trying to solve: Writing API tests is tedious, and hand-written mocks drift from reality. We wanted tests that stay realistic because they come from real traffic.versus mocking libraries: Tools like VCR/Nock intercept HTTP within your tests. Tusk Drift records full request/response traces externally (HTTP, DB, Redis, etc.) and replays them against your running service, no test code or fixtures to write/maintain.How it works:1. Add a lightweight SDK (we currently support Python and Node.js)2. Record traffic in any environment.3. Run `tusk run`, the CLI sandboxes your service and serves mocks via Unix socketWe run this in CI on every PR. Also been using it as a test harness for AI coding agents, they can make changes, run `tusk run`, and get immediate feedback without needing live dependencies.Source: <a href="https://github.com/Use-Tusk/tusk-drift-cli" rel="nofollow">https://github.com/Use-Tusk/tusk-drift-cli</a>Demo: <a href="https://github.com/Use-Tusk/drift-node-demo" rel="nofollow">https://github.com/Use-Tusk/drift-node-demo</a>Happy to answer questions!

Show HN: Yolobox – Run AI coding agents with full sudo without nuking home dir

Sandbox: Run untrusted AI code safely, fast

Show HN: Bithoven – A high-level, imperative language for Bitcoin Smart Contract

Show HN: Bithoven – A high-level, imperative language for Bitcoin Smart Contract Hey HN! I’m a researcher working on Bitcoin smart contracts, and today I’m releasing Bithoven—a high-level imperative language that compiles to native Bitcoin Script (Legacy, SegWit, and Taproot).The Goal:Raw Bitcoin Script is notoriously difficult to reason about. Writing raw Bitcoin Script today feels like writing Assembly in the 1970s. You have to mentally juggle the stack (`OP_SWAP`, `OP_ROT`), manually manage distinct execution branches, and pray you didn't leave a stack item unconsumed (which crashes the script). My goal was to bridge the gap between complex contract logic and raw opcodes, allowing developers to write readable, compile-time-safe code.Key Features:- Imperative Syntax: Write logic using familiar if/else and return statements instead of mental stack juggling.- Type Safety: First-class support for bool, signature, string, and number types to prevent runtime errors.- Targeted Compilation: Support for Legacy, SegWit, and Taproot compilation targets.- Native Primitives: Built-in keywords for timelocks (older, after) and cryptography (sha256, checksig).You can try it in the browser here (runs via WASM): <a href="https://bithoven-lang.github.io/bithoven/ide/" rel="nofollow">https://bithoven-lang.github.io/bithoven/ide/</a>Here is an example of a Hashed Time-Locked Contract (HTLC):<pre><code> (condition: bool, sig_alice: signature) (condition: bool, preimage: string, sig_bob: signature) { if condition { // Relative locktime (Sequence) older 1000; return checksig (sig_alice, alice_pk); } else { // Hashlock verification verify sha256 sha256 preimage == hash; return checksig (sig_bob, bob_pk); } } </code></pre> The project is free open source and the academic paper is currently under review. I’d love to hear any feedback. Thanks for checking it out!

No other tools from this source yet.