This document provides a comprehensive security checklist for the Model Context Protocol (MCP), a standard for connecting Large Language Models (LLMs) with external tools and data sources. It is targeted at developers and security professionals working with MCP-based AI tools, aiming to mitigate risks associated with LLM plugin ecosystems, especially in sensitive applications like cryptocurrency transactions.

How It Works

The checklist systematically addresses security concerns across the MCP architecture, which comprises the Host (AI application environment), Client (communication handler), and Server (plugin backend). It categorizes risks into areas like MCP Server security (API, authentication, runtime), Client/Host security (user interaction, local storage), LLM adaptation, multi-MCP scenarios, and cryptocurrency-specific considerations. Each item is prioritized with indicators for recommended, strongly recommended, and mandatory actions.

Quick Start & Requirements

This is a checklist and guide, not a software package. No installation or runtime requirements are specified.

Highlighted Details

• Covers a broad spectrum of security concerns from API validation and credential management to prompt injection defense and multi-modal content filtering.
• Includes specific guidance for cryptocurrency-related MCPs, emphasizing private key protection and wallet information privacy.
• Details security considerations for multi-MCP environments, addressing function priority hijacking and cross-MCP function call control.
• References academic research on MCP security threats and future directions.

Maintenance & Community

Maintained by SlowMist, a global leader in blockchain threat intelligence. FENZ.AI is acknowledged for contributions.

Licensing & Compatibility

No license information is provided in the README.

Limitations & Caveats

The document notes that no official store currently audits MCP plugins, highlighting a significant risk for users installing third-party plugins. It also mentions that LLM backends can vary in their MCP execution logic, requiring careful adaptation.