rule-packs

Official declarative rule registry for MCP Shark

OWASP MCP, Agentic Security, and general security packs — fetched with mcp-shark update-rules.

---

npx @mcp-shark/mcp-shark update-rules

Table of contents

• Overview
• Current rule set
• Layout
• Manifest schema
• Publishing a new pack version
• Relationship to the npm package
• Support
• License

Overview

Canonical remote registry for MCP Shark. The CLI downloads manifest.json from this repository, then each pack into .mcp-shark/rule-packs/ in the user’s project.

Current rule set

This registry ships 24 declarative (pattern-based) rules in 3 JSON packs, plus 1 pack that carries toxic flow heuristics (cross-server capability pairs for analyzeToxicFlows, not YARA-style rules). The MCP Shark CLI merges declarative packs with 11 algorithmic rules from the main mcp-shark package (JavaScript plugins for checks that need code logic) for a total of 35 scanner rules.

Pack file	Pack ID	Contents
packs/owasp-mcp-2026.json	owasp-mcp-2026	9 declarative rules
packs/agentic-security-2026.json	agentic-security-2026	9 declarative rules
packs/general-security.json	general-security	6 declarative rules
packs/toxic-flow-heuristics.json	toxic-flow-heuristics	toxic_flow_rules[] (cross-server pairs); rules is []

Note: OWASP MCP05 (command injection) and Agentic ASI05 (remote code execution) live as JS plugins in the scanner repo, not in these JSON packs.

OWASP MCP Top 10 — owasp-mcp-2026

Rule ID	Name	Severity
mcp01-token-mismanagement	Token Mismanagement & Secret Exposure	high
mcp02-scope-creep	Scope Creep Detection	medium
mcp03-tool-poisoning	Tool Poisoning Detection	high
mcp04-supply-chain	Supply Chain Vulnerability Detection	high
mcp06-prompt-injection	Prompt Injection Detection	high
mcp07-insufficient-auth	Insufficient Authentication Detection	high
mcp08-lack-audit	Lack of Audit Detection	medium
mcp09-shadow-servers	Shadow Server Detection	high
mcp10-context-injection	Context Injection Detection	medium

Agentic Security Initiative — agentic-security-2026

Rule ID	Name	Severity
asi01-goal-hijack	Agent Goal Hijack Detection	high
asi02-tool-misuse	Tool Misuse Detection	high
asi03-identity-abuse	Identity Abuse Detection	high
asi04-supply-chain	Agentic Supply Chain Detection	high
asi06-memory-poisoning	Memory Poisoning Detection	high
asi07-insecure-communication	Insecure Communication Detection	high
asi08-cascading-failures	Cascading Failures Detection	medium
asi09-trust-exploitation	Trust Exploitation Detection	high
asi10-rogue-agent	Rogue Agent Detection	critical

General security — general-security

Rule ID	Name	Severity
hardcoded-secrets	Hardcoded Secrets Detection	high
ansi-escape-sequences	ANSI Escape Sequence Detection	medium
dns-rebinding	DNS Rebinding Detection	high
sensitive-data-exposure	Sensitive Data Exposure	high
excessive-permissions	Excessive Permissions	high
path-traversal	Path Traversal Detection	high

Layout

Path	Purpose
manifest.json	Index: packs[] with id, version, url
packs/*.json	Pack files: schema_version, pack_id, version, and rules[] (declarative) and/or toxic_flow_rules[] (see below)

Toxic flow pack (toxic-flow-heuristics)

Packs may include toxic_flow_rules: an array of objects with source and target capability keys (e.g. writes_code, sends_external), risk, title, scenario (supports {source}, {target}, {source_ide}, {target_ide} placeholders), and optional catalog, owasp. These merge with built-in toxic-flow-rules.json and with .mcp-shark/flows.yaml after update-rules (or when a matching file exists under .mcp-shark/rule-packs/).

Manifest schema

For MCP Shark ≥ 1.5.

{
  "schema_version": "1.0",
  "version": "1.0.0",
  "updated": "ISO-8601 date",
  "packs": [
    {
      "id": "pack-stem",
      "version": "1.0.0",
      "url": "https://raw.githubusercontent.com/ORG/REPO/BRANCH/packs/pack-stem.json",
      "sha256": "optional-64-char-hex — if set, CLI verifies download"
    }
  ]
}

Rules:

• id must match pack_id inside the pack JSON and must be safe for a filename (letters, digits, ., _, - only).
• version should match the version field inside the pack file so the CLI can skip unchanged downloads.
• url must be HTTPS (unless the user explicitly allows HTTP in a lab via MCP_SHARK_INSECURE_HTTP_REGISTRY=1).

Publishing a new pack version

1. Edit the pack under packs/<id>.json (bump version and updated inside the file).
2. Bump the same version for that entry in manifest.json.
3. Open a PR; CI validates manifest and pack shape.

Relationship to the npm package

The @mcp-shark/mcp-shark package ships built-in copies of these packs under core/cli/data/rule-packs/ (including toxic-flow-heuristics.json). This repo is the live source users pull when they run update-rules. User overrides in .mcp-shark/rule-packs/ still win over built-ins for same pack_id.

Support

• Scanner issues: mcp-shark/issues
• Website: mcpshark.sh

License

Rule pack content follows the licensing terms of the parent MCP Shark project unless otherwise noted in individual files.

---

Same shark. Fresh rules when you want them.