Threat Model
What MCPTrust protects against (and what it doesn't)
We assume the following parties:
- Attacker: Can modify the MCP server source code, its dependencies, or the network traffic between the server and agent.
- Approver: The human or system authorized to review and sign lockfiles.
- Verifier: The automated system (CI/CD, Agent Runtime) that checks signatures.
In Scope (Protected)
- Dependency Injection: An attacker updates a dependency in the server that changes the tool schema to allow exfiltration. -> Detected by Diff.
- Prompt Injection via Description: An attacker changes the tool description to jailbreak the LLM. -> Detected by Diff.
- Bypassed Review: A developer commits changes to the server without updating the lockfile. -> Detected by Verify.
- Tampered Artifacts: An attacker modifies `mcp-lock.json` in transit. -> Detected by Verify.
Out of Scope (Not Protected)
- Runtime Implementation Changes: If the server code changes to do something malicious without changing the tool schema or description, MCPTrust cannot detect it (unless you use deterministic builds and include the binary hash in the policy, which is advanced usage).
- Compromised Private Key: If the attacker gets the key, they can sign anything.