ESLint rules to detect prompt-injection vectors in Model Context Protocol server code
eslint-plugin-mcp-security
ESLint rules to detect prompt-injection vectors hidden in Model Context Protocol server code.
Threat model
Strings that an MCP server exposes to an LLM client (tool descriptions, parameter docstrings, error messages, resource contents, prompts) are a prompt-injection surface. An attacker who slips encoded instructions into that surface — via a malicious dependency, a compromised commit, or a copy-paste from an untrusted source — can hijack the client LLM at decode time.
This plugin lints the source code of MCP servers to catch two of the most common encoding tricks:
- Base64-encoded text that decodes to printable ASCII (a hand-rolled detector with round-trip validation, plain text scoring, and a keyword list for known injection phrases like "ignore previous instructions").
- Invisible Unicode characters — zero-width spaces, BOMs, and Unicode tag characters (U+E0000–U+E007F) that LLMs read but humans don't.
It is not a secret scanner. For secrets (API keys, tokens, SRI hashes that look like high-entropy blobs), use gitleaks. The two tools are complementary: gitleaks catches high-entropy blobs, this plugin catches low-entropy encoded prose.
Install
npm install --save-dev eslint-plugin-mcp-security
Requires ESLint 9+ and Node 22.22.2+.
Usage (flat config)
// eslint.config.js
import mcpSecurity from 'eslint-plugin-mcp-security';
export default [
// ... your other config blocks
{
plugins: { 'mcp-security': mcpSecurity },
rules: {
'mcp-security/no-encoded-prompt-injection': 'error',
},
},
];
Rules
no-encoded-prompt-injection
Reports string literals and template-literal segments that contain:
- Invisible Unicode characters — always reported as
error. - Base64 strings that decode to printable text — reported as
error. When the decoded text matches a known prompt-injection phrase, the message is escalated with aHIGH RISKprefix.
Hashes following the SRI convention (sha256-…, sha384-…, sha512-…)
are explicitly excluded.
Allowing intentional cases
If you have a legitimate base64 fixture (a test vector, a small embedded asset), opt out per-line:
// eslint-disable-next-line mcp-security/no-encoded-prompt-injection
const fixture = 'aGVsbG8gd29ybGQgdGhpcyBpcyBhIGZpeHR1cmU=';
For test files in particular, you can also disable the rule at the file
or directory level via your eslint.config.js.
Limitations
- Only detects strings present as literals at lint time. Runtime
concatenation (
String.fromCharCode(...), template assembly across multiple${}interpolations) is not detected — that is by design; static analysis cannot follow arbitrary runtime construction. - JSON files are not linted unless you configure
eslint-plugin-jsoncor similar. - Invisible characters in identifiers are caught only if they appear inside string literals.
How it complements other tooling
| Tool | Catches | Misses | |------|---------|--------| | This plugin | Base64 prose, invisible Unicode | High-entropy secrets, runtime injection | | gitleaks | API keys, tokens, SRI-shaped blobs | Low-entropy encoded prose | | CodeQL | Taint flows, dataflow vulnerabilities | Encoding-layer tricks | | OSV-Scanner | Known CVEs in dependencies | Source-level threats |
Recommended layered defense for an MCP repo:
IDE (eslint extension) → real-time feedback
Pre-commit (husky + lint-staged) → eslint on staged files
CI → eslint full scan + gitleaks + OSV-Scanner + ...
Contributing
See CONTRIBUTING.md. All contributions are licensed under Apache-2.0 via DCO sign-off.
License
Copyright 2026 klodr
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE file for details.