I think MCP security scanning tools sometimes slightly miss the point when they're marking content that MCP tools could return containing things like 'curl, rm, sh' etc... with blanket high risk ratings.

If we swap "agent" out for "developer" here and think about it:

If a developer saves (or runs) content with a curl / POST / rm command - is that a signal they're doing something dangerous? No.

Likely what actually matters starts along the lines of:

- Did they intend / realise they were running the command?

Was it really them that ran it?

Was it hidden in a larger script they ran without inspecting / scanning first?

Was it made visually clear that they were running it? (e.g. not in the background)

- What is in the arguments of the "dangerous" command?

Does the POST contain known files that contain secrets?

Does it contain high entropy strings?

.... base64 encoded data?

- What is the destination?

Localhost? Internal network? Russia?

- etc

you brought some great points. what we are hoping to do next iteration is to add audit logs of actions taken (of high risk actions) that way even if the user "accidentally" blank agrees their mcp service to take the rm action then at least they can see if the action was something they typed or suggested by the LLM.

if you have some improvements around this space love to chat and collaborate!