MCP-SandboxScan: WASM-based Secure Execution and Runtime Analysis for MCP Tools

TL;DR

MCP-SandboxScan is a WebAssembly-based framework that securely executes untrusted tools to analyze runtime behaviors and detect security risks like prompt injections and data leaks in LLM tool integrations.

Contribution

It introduces a novel sandboxed execution environment combined with runtime analysis techniques to identify security vulnerabilities in LLM tool usage, addressing limitations of static scanners.

Findings

Successfully detects external input exposures in runtime outputs

Exposes filesystem capability violations during tool execution

Characterizes false negatives and positives through benchmarks

Abstract

Tool-augmented LLM agents raise new security risks: tool executions can introduce runtime-only behaviors, including prompt injection and unintended exposure of external inputs (e.g., environment secrets or local files). While existing scanners often focus on static artifacts, analyzing runtime behavior is challenging because directly executing untrusted tools can itself be dangerous. We present MCP-SandboxScan, a lightweight framework motivated by the Model Context Protocol (MCP) that safely executes untrusted tools inside a WebAssembly/WASI sandbox and produces auditable reports of external-to-sink exposures. Our prototype (i) extracts LLM-relevant sinks from runtime outputs (prompt/messages and structured tool-return fields), (ii) instantiates external-input candidates from environment values, mounted file contents, and output-surfaced HTTP fetch intents, and (iii) links sources to sinks via snippet-based substring matching. Case studies on three representative tools show that MCP-SandboxScan can surface provenance evidence when external inputs appear in prompt/messages or tool-return payloads, and can expose filesystem capability violations as runtime evidence. We further compare against a lightweight static string-signature baseline and use a micro-benchmark to characterize false negatives under transformations and false positives from short-token collisions.