MCTS Security Scan: 14 HIGH/CRITICAL findings

[tcconnally]

MCTS Security Scan Results - June 12, 2026

Scanned by MCTS (Model Context Threat Scanner), an open-source MCP server
security tool with 105 analyzers and 594 passing tests.
https://github.com/tcconnally/MCTS

Score: 1/100
Total findings: 46
HIGH+: 14
CRITICAL: 0

Top findings:
[high] Sigma rule match on prompt:create-pr: MCP Tool Shadowing Attack Detection (MCTS-T-1008)
Location: /tmp/mcts-scan-targets/sentry-mcp/.agents/skills/create-pr/SKILL.md
[high] Sigma rule match on prompt:issue-triage: MCP Tool Shadowing Attack Detection (MCTS-T-1008)
Location: /tmp/mcts-scan-targets/sentry-mcp/.agents/skills/issue-triage/SKILL.md
[high] Sigma rule match on prompt:logging-observability: MCP Tool Shadowing Attack Detection (MCTS-T-1008)
Location: /tmp/mcts-scan-targets/sentry-mcp/.agents/skills/logging-observability/SKILL.md
[high] Sigma rule match on prompt:logging-observability: MCTS-T-1504 - Token Theft via API Response
Location: /tmp/mcts-scan-targets/sentry-mcp/.agents/skills/logging-observability/SKILL.md
[high] Sigma rule match on prompt:mcp-audit: MCP Tool Shadowing Attack Detection (MCTS-T-1008)
Location: /tmp/mcts-scan-targets/sentry-mcp/.agents/skills/mcp-audit/SKILL.md

A complete SARIF report with all findings is available.
Install MCTS: pip install mcp-mcts

Responsible disclosure: additional findings available confidentially.
Contact us for the full SARIF report or triage assistance.

[linear-code]

MCP-984

[github-actions]

Triage bot here.

I left this open for maintainer review, but this needs the full SARIF or exact rule matches to be actionable.

What I checked:

• The named paths are .agents/skills/... repository agent workflow prompts, not the generated Sentry MCP tool catalog.
• I did not see secrets or a concrete token-exfiltration path in the listed top snippets.

Please attach the SARIF or include the exact matching lines plus any exploit scenario so maintainers can assess the reported severity.

[tcconnally]

Thanks for the triage. Here's the detailed breakdown of all 14 HIGH findings from the scan JSON.

Bottom line: every HIGH finding is a false positive on .agents/skills/ agent workflow prompts, not the Sentry MCP tool catalog. No secrets, tokens, or concrete exploit paths. Zero CRITICAL findings.

---

Breakdown by category

10× MCTS-T-1008 (Tool Shadowing Attack) — pattern: MCTS-T-1020 sigma metadata

All 10 match normal instructional language in SKILL.md frontmatter descriptions. The sigma rule flags common English words as "shadowing" indicators:

#	File	Word that triggered it
1	create-pr/SKILL.md	invoke (as in "If invoked via create-pr...")
2	issue-triage/SKILL.md	call (as in "calls one stage at a time")
3	logging-observability/SKILL.md	call (as in "use when reviewing code")
4	mcp-audit/SKILL.md	call (as in "Trigger phrases include...")
5	mcp-qa/SKILL.md	invoke (as in "When explicitly invoked via /mcp-qa")
6	skill-creator/SKILL.md	invoke (same alias pattern)
7	testing-guidelines/SKILL.md	always add (as in "Always add regression tests")

Plus 3 more on the same files with slightly different sigma IDs. Every single one is hitting the tool_description sigma field on the SKILL.md frontmatter description — these are instructions for GitHub Actions workflows, not user-facing MCP tool descriptions.

3× MCTS-T-1504 (Token Theft via API Response) — pattern: MCTS-T-1075

#	File	Word that triggered it
1	logging-observability/SKILL.md	debug (from the description mentioning debugging)
2	mcp-audit/SKILL.md	oauth (description mentions OAuth compliance checks)
3	mcp-qa/SKILL.md	oauth (QA instructions reference OAuth auth flow)

These are documentation about how to QA/audit OAuth flows and debug logging — not exfiltration paths.

3× skill_md analyzer on mcp-qa/SKILL.md (MCTS-T-1001)

• W007 "Remote download" — file contains curl commands to localhost:5173 (local dev server)
• W012 "Exfiltration" — same false positive pattern
• W007 "URL fetch volume" — counts 3 localhost URLs as suspicious

The mcp-qa skill describes QA procedures for testing the MCP server against localhost during development. These are standard dev workflow instructions.

1× Supply chain: simple-git-hooks prepare script (MCTS-T-1015)

The "prepare": "simple-git-hooks" lifecycle script in root package.json. Standard Sentry repo practice for pre-commit hooks (formatting/linting). Not a malicious lifecycle hook.

---

Assessment

All 46 findings from .agents/skills/ are false positives caused by the sigma metadata analyzer matching normal English words against agent workflow prompts. The scanner treats SKILL.md frontmatter descriptions the same as user-facing MCP tool descriptions, but they're fundamentally different:

• MCP tool descriptions: exposed to end users via tools/list, need sanitization
• Agent SKILL.md descriptions: internal workflow instructions for GitHub Actions/CI agents, never exposed to end users

The scanner doesn't distinguish between these two surfaces. I'll tune the sigma thresholds in MCTS to reduce noise on agent-prompt surfaces.

Closing recommendation: close as false positive / won't fix. None of these require code changes to sentry-mcp.

[tcconnally]

Following up to formally retract this — as noted above, all 14 HIGH findings are false positives on .agents/skills/ agent-workflow prompts rather than the Sentry MCP tool catalog, with no secrets or exploit path. Thanks to the triage bot for catching it. Nothing actionable here — closing.