🔮 Glyph — MCP Security Scanner & Runtime Proxy

Read the runes before your agent steps on them.

Dual-mode MCP security platform. Scan configurations statically + protect traffic at runtime. 83% detection on research attack corpus. 100% on real-world CVEs. Zero false positives.

What It Is

Glyph guards your MCP infrastructure through two complementary approaches:

🔍 Static Analysis (glyph scan) — Deep security scan of MCP configuration files
🛡️ Runtime Protection (glyph proxy) — Live interception and sanitization of MCP traffic

Static finds the vulnerabilities. Runtime stops the exploits. Together, they create comprehensive MCP security.

---

Quick Start

# Install
pip install glyph-scan

# Static scan — analyze config files
glyph scan ~/.config/claude/claude_desktop_config.json

# Runtime protection — proxy live traffic
glyph baseline create config.json  # Create security baseline
glyph proxy config.json --baseline baseline.json

Results in seconds. No cloud API required. No account needed.

---

Detection Engine

14 Security Rules — 7 static + 7 runtime

Static Rules (Configuration Analysis)

Rule	Detects	Severity
Prompt Injection	Instruction overrides, hidden behavior, <IMPORTANT> tags, evasion techniques	CRITICAL/HIGH
Semantic Poisoning	Tool descriptions semantically similar to known attacks (ONNX embeddings)	HIGH/MEDIUM
Data Exfiltration	Hidden data transfers, conversation exfil, external uploads	CRITICAL/HIGH
Credential Exposure	Hardcoded API keys, tokens, secrets in configs	CRITICAL/HIGH
Command Injection	Shell execution, reverse shells, command substitution	CRITICAL/HIGH
Tool Poisoning	Hidden unicode, base64 payloads, HTML obfuscation	HIGH
Transport Security	Unencrypted HTTP transport (not HTTPS)	HIGH/MEDIUM

Runtime Rules (Live Traffic Analysis)

Rule	Detects	Severity
ANSI Injection	Terminal manipulation, screen clearing, fake output	HIGH
Response Poisoning	Prompt injection in responses, hidden instructions, data exfil commands	CRITICAL/HIGH
State Bleeding	Credential leaks, PII exposure, cross-tool data contamination	HIGH
Rug Pull	Tool definition changes, new tools added silently, privilege escalation	CRITICAL
Tool Shadowing	Homoglyph attacks, typosquatting, namespace collisions	HIGH
Cross-Tool Correlation	Multi-step attack chains, recon→exfil patterns	HIGH
Anomaly Detection	Statistical outliers, unicode obfuscation, steganography	MEDIUM

---

Battle-Tested Results

Real-world validation against actual exploits:

✅ marmelab/mcp-vulnerability — Prompt injection + cross-tool hijacking PoC
✅ Invariant Labs GitHub MCP — Issue description data exfiltration
✅ Anthropic Git MCP RCE — Command injection via git config manipulation
✅ WhatsApp MCP Exfil — Hidden message backup to external endpoint
✅ ToolHijacker Academic — Biased tool selection manipulation

Detection Stats:

• 83% detection rate on 23-vector research attack corpus
• 100% detection rate on real-world CVE patterns
• 0 false positives on legitimate tool descriptions
• 197 test cases passing

Not synthetic benchmarks. Real exploits that target real MCP deployments.

---

Usage

Static Scanning

# Scan a single config
glyph scan ~/.config/claude/claude_desktop_config.json

# JSON output for CI/CD
glyph scan config.json --format json

# Filter by severity
glyph scan config.json --severity critical

# List all detection rules
glyph rules list

Runtime Protection

# 1. Create security baseline (approved tool definitions)
glyph baseline create config.json --output baseline.json

# 2. Run as security proxy
glyph proxy config.json --baseline baseline.json

# 3. Manage quarantined responses
glyph quarantine list
glyph quarantine release <id>

# 4. Analyze traffic logs
glyph traffic list
glyph traffic search "suspicious"
glyph traffic stats

Runtime Flow:

1. Client connects to Glyph proxy
2. Proxy establishes upstream connection to real MCP server
3. Proxy scans tool definitions against baseline (rug pull detection)
4. Client tool calls → Proxy → Security rules → Server
5. Server response → Proxy → Security rules + ANSI sanitization → Client
6. Suspicious responses quarantined for review

---

Example Output

🔮 Glyph v0.3.0 — MCP Security Scanner & Runtime Proxy

Scanning: config.json (3 servers, 12 tools)

━━━ Findings ━━━

🔴 CRITICAL: Semantic poisoning detected
   Rule: semantic-poisoning (confidence: 0.94)
   Location: tool "helper" in server "utils" 
   Similarity: 94% match to known prompt injection pattern
   Fix: Review tool description for hidden instructions

🔴 CRITICAL: Data exfiltration pattern
   Rule: data-exfiltration
   Location: tool "email_sender" in server "comms"
   Pattern: Hidden BCC to external domain
   Fix: Remove hardcoded recipient addresses

🟡 HIGH: Hardcoded API key
   Rule: credential-exposure
   Location: server "openai-tools"
   Fix: Use ${OPENAI_API_KEY} environment variable

━━━ Summary ━━━
Scanned: 1 config, 3 servers, 12 tools
Findings: 2 critical, 1 high, 0 medium, 0 low
Status: FAIL (CRITICAL findings detected)

---

How It Compares

Feature	Glyph	Invariant mcp-scan	Cisco mcp-scanner	Snyk agent-scan
Privacy	Fully local	Cloud analysis	Local	Phone-home
ML Analysis	ONNX (local)	Proprietary	LLM API required	Cloud
Account Required	No	No	No	Yes
Live Protection	stdio + HTTP/SSE	stdio only	stdio only	Config only
Detection Rules	14 (static + runtime)	3	4	2
Real-world Validation	5 CVE patterns	Synthetic only	Unknown	Proprietary
Runtime Quarantine	Yes	No	No	No
Configuration Pinning	Yes	No	No	No

---

Architecture

┌─────────────┐  JSON-RPC   ┌─────────────┐  JSON-RPC   ┌─────────────┐
│   Client    │ ←────────→  │Glyph Proxy  │ ←────────→  │ MCP Server  │
│ (Claude AI) │             │             │             │ (Tools)     │
└─────────────┘             └─────────────┘             └─────────────┘
                                    │
                            ┌───────┼───────┐
                            │       │       │
                    ┌───────▼──┐ ┌──▼───┐ ┌─▼─────────┐
                    │Static    │ │Runtime│ │Quarantine │
                    │Engine    │ │Rules  │ │System    │
                    │(7 rules) │ │(7 rules)│ │(SQLite)  │
                    └──────────┘ └───────┘ └───────────┘

Static Engine — Analyze configurations for known vulnerabilities
Runtime Rules — Real-time traffic analysis and threat detection
Quarantine System — Safe storage and review of suspicious responses
ONNX Semantic Analysis — ML-powered intent detection via embeddings

---

Security Notice

⚠️ Runtime scanning spawns processes defined in config files. A malicious config can contain arbitrary commands. Static scanning is safe (JSON parsing only).

# Safe: static configuration analysis  
glyph scan config.json

# Caution: live server connections (spawns processes)
glyph proxy config.json --baseline baseline.json

# Sandboxed live scanning (recommended for untrusted configs)
docker run --rm -v $(pwd):/scan glyph proxy /scan/config.json --baseline /scan/baseline.json

---

Development

git clone https://github.com/HaseebKhalid1507/glyph.git
cd glyph
pip install -e ".[dev]"
pytest tests/ -v

Project Stats:

• 10,074 lines of code
• 197 test cases
• 83% detection rate on adversarial research corpus
• 14 detection rules (7 static + 7 runtime)
• 0 external dependencies for core scanning

---

Exit Codes

Code	Result
0	Clean scan — no findings
1	Findings detected
2	Critical findings detected

---

Roadmap

• Browser Extension — scan MCP configs in Claude Desktop GUI
• GitHub Action — automated PR scanning for MCP configurations
• SARIF Output — security tool integration (SonarQube, CodeQL)
• WebSocket Transport — support for WebSocket-based MCP servers
• Enterprise Dashboard — centralized security monitoring

---

Contributing

Found a new MCP attack pattern? Open an issue with details.
Want to add detection rules? PRs welcome.
Need enterprise features? Let's talk.

---

Author

Built by Haseeb Khalid — security engineer, agent builder, rune reader.

---

License

MIT — scan freely, secure confidently.