d1fc8d3
This commit was signed with the committer’s verified signature.
The first stable release of mcp-guard, a Roslyn analyzer that catches prompt-injection and tool-poisoning in your C# MCP server's tool descriptions at build time, before they ship.
Highlights
- Full static rule catalog (MCPG001–MCPG013) over the MCP tool surface: instruction-style phrasing, hidden/zero-width Unicode, secret-file references, exfiltration directives and markdown/encoded-blob sinks, ANSI/terminal escapes, manipulative phrasing, capability mismatch, embedded markup, cross-tool shadowing, and whitespace hiding.
- MCPG012, the multi-signal escalation: a secret reference plus an external sink on one description is a confirmed exfiltration payload, reported at Error so it fails the build.
- MCPG013, the opt-in description-integrity baseline: pin each tool description's fingerprint to source and catch a rug-pull (a description changed after review) as a build signal.
- Coverage of parameter and enum-member names (CyberArk full-schema poisoning) and base64/hex decode-and-rescan so obfuscated payloads still escalate.
- IDE code fixes, a reusable GitHub Action to gate any consumer's CI, and VS Code support.
Quality
Backed by a known-attack corpus (payloads from public PoCs), benign false-positive controls, and live-server integration tests that prove a poisoned description reaches a client and demonstrate a runtime rug-pull. 126 analyzer + 3 integration tests on .NET 8 and .NET 10. The work was hardened through an adversarial multi-agent review.
See the coverage scorecard, the threat model (who this protects and why human review is not enough), and the changelog.
Install
<PackageReference Include="McpGuard.Analyzers" Version="1.0.0" PrivateAssets="all" />