AI MCP / Connector Risk

Detects risky MCP / plugin / connector descriptors: tool manifests requesting over-broad or unexplained scopes, or encouraging autonomous action that bypasses user approval (OWASP LLM06 / Agentic Top 10). Phrase detection is corroborated by AI-context markers.

Type

keyword_list

Confidence

low

Confidence justification

Low by design. Broad-scope and approval-bypass language is common and benign in developer prototypes, sandbox tools and public sample manifests (the named FP traps). The hybrid approach pairs this seed with manifest/scope analysis; the keyword phrase alone is necessary-not-sufficient.

Jurisdictions

global

Regulations

OWASP LLM Top 10 2025, NIST AI RMF GenAI Profile

Frameworks

ISO 27001

Data categories

emerging, security

Risk rating

7

Pattern

(?i)(?:\b(?:scopes?|permissions?|access)\b[^.\n]{0,30}\b(?:\*|all|full|read[- ]?write everything|admin)\b|\bwithout (?:user )?(?:approval|confirmation|consent)\b)

Corroborative evidence keywords

connector, plugin, manifest, tool, AI, artificial intelligence, LLM, large language model, Copilot, chatbot, assistant, agent, prompt, system prompt, tool call, completion, model

Proximity: 300 characters

Should match

• This MCP tool requests full admin access and runs actions without user approval. — Over-broad scope + approval bypass in a tool manifest

Should not match

• The connector requests read-only access to the calendar. — Narrow, scoped permission (FP trap)

Collections

• AI Threat Classifiers