v0.13

Author: Aroundight

README.md

@@ -1,5 +1,10 @@
 # MCP Security Checklist: A Security Guide for the AI Tool Ecosystem
 
+[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/slowmist_team.svg?style=social&label=Follow%20%40SlowMist_Team)](https://twitter.com/slowmist_team) 
+
+[English Version](./README.md), 
+[中文版本](./README_CN.md),
+
 ## 📚 Table of Contents
 
 - [Overview](#overview)
@@ -12,11 +17,11 @@
 
 ## Overview
 
-With the rapid development of large language models (LLMs), various new AI tools are continuously emerging. MCP (Model Context Protocol), a representative tool standard implementation, has become a critical bridge between large language models (LLMs) and external tools or data sources. Since its release at the end of 2024, MCP has been widely adopted in mainstream AI applications such as Claude Desktop and Cursor. Different MCP Server “stores” have also started to appear, showcasing a powerful ecosystem expansion capability.
+With the rapid development of large language models (LLMs), a variety of new AI tools have continued to emerge. Among them, tools based on the Model Context Protocol (MCP) standard have become a key bridge connecting LLMs with external tools and data sources. Since its release in late 2024, MCP has been widely adopted in mainstream AI applications such as Claude Desktop and Cursor. Various MCP Server marketplaces have also emerged, demonstrating strong ecosystem scalability.
 
-However, the fast proliferation of MCP brings new security challenges. The current MCP architecture comprises three parts: **Host (the locally running AI application environment)**, **Client (the component that communicates with the Server and handles tool invocation)**, and **Server (the service side corresponding to the MCP plugin)**. Users interact with the AI via the Host; the Client parses user requests and forwards them to the MCP Server to perform tool calls or resource access. In scenarios where multiple instances and components collaborate, this architecture exposes a range of security risks, especially in sensitive contexts such as cryptocurrency transactions or LLM custom plugin adaptation.
+However, the rapid adoption of MCP has also introduced new security challenges. In the current MCP architecture, the system consists of three main components: the **Host** (the local environment where the AI application runs), the **Client** (responsible for communicating with the Server and invoking tools), and the **Server** (the backend service corresponding to an MCP plugin). Users interact with the AI through the Host, while the Client parses the user's request and forwards it to the MCP Server for tool invocation or resource access. In scenarios involving multiple instances and cross-component collaboration, this architecture exposes a range of security risks—especially in sensitive contexts such as cryptocurrency transactions or custom plugin integration with LLMs—where the potential for exploitation is even higher and requires appropriate security controls.
 
-MCP’s swift adoption highlights the importance of a **comprehensive MCP Security Checklist**. This checklist covers security considerations from user interaction interfaces, client components, server plugins, and multi-MCP collaboration mechanisms to specialized fields (e.g., cryptocurrency). It aims to help developers systematically identify potential risks and address them promptly. By implementing these security measures, one can effectively enhance the overall stability and controllability of MCP systems, ensuring that while AI applications evolve rapidly, security also keeps pace.
+Against this backdrop, **establishing and following a comprehensive MCP Security Checklist becomes critically important**. This checklist covers key areas ranging from user interface interaction, client components, and service-side plugins, to multi-MCP collaboration mechanisms and domain-specific scenarios such as cryptocurrency integrations. It is designed to help developers systematically identify and mitigate potential risks. By implementing these security measures, the overall stability and controllability of MCP systems can be significantly enhanced, ensuring that security evolves in parallel with the rapid advancement of AI applications.
 
 <p align="center">
   <img src="assets/mcp_risk_points_en.png" alt="MCP flow risk diagram" />
@@ -63,7 +68,7 @@ This checklist is based on possible risk points encountered during our security
 
 ### Deployment & Runtime Security
 
-- [ ] **Isolation Environment:** ![High][high_img] Run server in isolated environments (containers, VMs, sandboxes) to prevent lateral movement attacks.
+- [ ] **Isolation Environment:** ![High][high_img] Server runs in an isolated environment (container, VM, or sandbox) to prevent escape and mitigate lateral movement attacks.
 - [ ] **Container Security:** ![High][high_img] Adopt hardened container security configurations and run containers as non-root users. Employ immutable infrastructure and runtime protection.
 - [ ] **Secure Boot:** ![Medium][medium_img] Validate service boot processes, implementing secure boot chains and integrity checks.
 - [ ] **Environment Variable Security:** ![Medium][medium_img] Protect sensitive environment variables and ensure they are not exposed in logs.

README_CN.md

@@ -1,5 +1,10 @@
 # MCP安全检查清单：AI工具生态系统安全指南
 
+[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/slowmist_team.svg?style=social&label=Follow%20%40SlowMist_Team)](https://twitter.com/slowmist_team) 
+
+[English Version](./README.md), 
+[中文版本](./README_CN.md),
+
 ## 📚 目录
 
 - [概要](#概要)
@@ -14,9 +19,7 @@
 
 随着大模型的迅猛发展，各种新的AI工具的也在不断涌现，当下代表性的MCP（Model Context Protocol）标准实现的工具正逐渐成为连接大语言模型（LLM）与外部工具、数据源之间的关键桥梁。自 2024 年底发布以来，MCP 已被广泛应用于 Claude Desktop、Cursor 等主流 AI 应用中，MCP Server 的各种商店也在不断出现，展现出强大的生态扩展能力。​
 
-然而，MCP 的快速普及也带来了新的安全挑战。当前MCP架构中，系统由 **Host（本地运行的 AI 应用环境）**、**Client（负责与Server通信与工具调用的组件）** 以及 **Server（MCP 插件所对应的服务端）** 三部分构成。用户通过 Host 与 AI 交互，Client 将用户请求解析并转发至 MCP Server，执行工具调用或资源访问。在多实例、多组件协同运行的场景下，该架构暴露出一系列安全风险，尤其在涉及加密货币交易或 LLM 自定义插件适配等敏感场景中，风险更为突出。
-
-然而，MCP 的快速普及也带来了新的安全挑战。MCP架构由三个核心组件组成：MCP Host(运行AI应用的环境，如Claude Desktop)、MCP Client(管理主机与服务间通信的中介)以及MCP Server(提供工具、资源和提示的功能接口)。用户通过向MCP Host发送提示，Client配合LLM分析意图并通过MCP服务选择适当工具，调用外部API处理信息后将结果呈现给用户。尽管这一架构促进了AI与外部系统的无缝交互，但在涉及加密货币交易或自定义插件等敏感场景中，服务名称冲突、安装程序欺骗和工具名称冲突等安全风险尤为显著，需要适当的安全措施来管理。
+然而，MCP 的快速普及也带来了新的安全挑战。当前MCP架构中，系统由 **Host（本地运行的 AI 应用环境）**、**Client（负责与Server通信与工具调用的组件）** 以及 **Server（MCP 插件所对应的服务端）** 三部分构成。用户通过 Host 与 AI 交互，Client 将用户请求解析并转发至 MCP Server，执行工具调用或资源访问。在多实例、多组件协同运行的场景下，该架构暴露出一系列安全风险，尤其在涉及加密货币交易或 LLM 自定义插件适配等敏感场景中，风险更为突出，需要适当的安全措施来管理。
 
 在此背景下，**制定和遵循一套全面的 MCP 安全检查清单显得尤为重要**。本清单涵盖了从用户交互界面、客户端组件、服务插件，到多 MCP 协作机制及特定领域（如加密货币场景）的安全要点，旨在帮助开发者系统性地识别潜在风险并及时加以防范。通过落实这些安全措施，可有效提升 MCP 系统的整体稳定性与可控性，确保 AI 应用在快速发展的同时，安全性也同步得到保障。
 
@@ -65,7 +68,7 @@
 
 ### 部署与运行时安全
 
-- [ ] **隔离环境:** ![高][high_img] 服务在隔离环境（容器、VM、沙箱）中运行，防止横向移动攻击。
+- [ ] **隔离环境:** ![高][high_img] 服务在隔离环境（容器、VM、沙箱）中运行，防⽌逃逸、防止东西向移动攻击
 - [ ] **容器安全:** ![高][high_img] 使用强化的容器安全配置和非root用户运行，实施不可变基础设施，运行时保护。
 - [ ] **安全启动:** ![中][medium_img] 验证服务启动过程的完整性，实施安全启动链和完整性检查。
 - [ ] **环境变量安全:** ![中][medium_img] 敏感环境变量受到保护，不在日志中泄露。
@@ -137,7 +140,7 @@
 
 ## MCP客户端/MCP HOST安全
 
-> **说明:** Host是运行AI应用程序和MCP客户端的环境，是终端用户与AI系统交互的入口点。如Claude桌面版、Cursor、。Client是AI应用程序内部的组件，负责与MCP服务通信，处理上下文、工具调用和结果展示。一般情况下Client是默认集成在Host中的。
+> **说明:** Host是运行AI应用程序和MCP客户端的环境，是终端用户与AI系统交互的入口点。如Claude桌面版、Cursor。Client是AI应用程序内部的组件，负责与MCP服务通信，处理上下文、工具调用和结果展示。一般情况下Client是默认集成在Host中的。
 
 ### 用户交互安全