Detection Rules
The 150+ rules the scanner and gateway use, by category, with examples.
Oxvault ships 150+ detection rules across five categories. Every rule the scanner
applies statically is also available to the Gateway at runtime, because they share
one engine. Findings carry four severities — INFO, WARNING, HIGH, CRITICAL — a confidence
level, and (where applicable) a CWE identifier.
| Category | Rules | Covers |
|---|---|---|
| Source code (SAST) | 43 | Command injection, code eval, unsafe deserialization, path traversal, egress |
| Tool description, arguments & responses | 37 | Prompt-injection / tool poisoning, argument injection, credential leakage |
| Install-hook analysis | 16 | Malicious npm lifecycle scripts |
| Dependency CVE audit | 10 | Known-vulnerable MCP packages |
| Model artifacts (AIBOM) | 44 | Pickle, ONNX, safetensors, model cards, signatures |
Source code (SAST)
Pattern-based static analysis of Python, JavaScript/TypeScript, and Go source. Detects command
injection (os.popen, subprocess(shell=True), child_process.exec, exec.Command), code
evaluation (eval, exec, new Function), unsafe deserialization (pickle.load, yaml.load
without a safe loader), path traversal, destructive filesystem operations, hardcoded credentials,
and outbound network egress. Test files and directories are skipped automatically.
Example —
mcp-cmd-injection· CRITICAL · CWE-78 Direct OS command execution, e.g.os.popen(...)/os.system(...).
Tool descriptions, arguments & responses
Rules applied to live MCP traffic: the text of tool descriptions, the arguments of tools/call
requests, and the content of server responses.
- Description poisoning — hidden instruction tags (
<IMPORTANT>,<SYSTEM>,<HIDDEN>), invisible Unicode and BiDi overrides, secrecy instructions (“do not tell the user”), prompt overrides (“ignore previous instructions”), sensitive-path references (~/.ssh,~/.aws), and cross-tool exfiltration hints. - Argument injection — shell metacharacters, path traversal, SQL injection, SSRF
(
169.254.169.254, cloud metadata endpoints, RFC 1918 addresses), LDAP/XML/template/log injection. - Response scanning — AWS/OpenAI/GitHub/Stripe keys, private keys, bearer tokens, JWTs, database connection strings, PII, and internal hostnames.
Example —
mcp-tool-poisoning· CRITICAL · CWE-1321 A tool description contains a hidden instruction tag such as<IMPORTANT>.
Install-hook analysis
Inspects npm lifecycle scripts (preinstall, install, postinstall) for the ways a package can
run arbitrary code at install time — before you ever import it.
Example —
mcp-install-hook-pipe-to-shell· CRITICAL An install script pipes a remote download straight into a shell (curl … | sh).
Dependency CVE audit
A built-in database of MCP packages with known CVEs. A dependency at or below the affected version is flagged with its CVE ID, CVSS score, and severity.
Example —
mcp-remote≤ 0.1.15 · CRITICAL · CVE-2025-6514 (CVSS 9.6) OS command injection via the OAuthauthorization_endpoint.
Model artifacts (AIBOM)
Rules for ML model files, dispatched by format. Pickle files are disassembled at the opcode level — they are analyzed without being executed.
- Pickle (
aibom-pickle-*) — dangerous globals (os.system,subprocess,eval,runpy), network and filesystem primitives, suspiciousREDUCEcallables, PyTorch ZIP wrappers, and truncated streams. Known-safe ML globals are downgraded to informational. - Safetensors (
aibom-safetensors-*) — header overflow, malformed/empty JSON, overlapping tensor offsets, invalid dtypes, and prompt-injection smuggled in metadata. - ONNX (
aibom-onnx-*) — malformed protobuf, custom/suspicious operator domains, external-data path traversal, oversized initializers, and missing producer metadata. - Model cards (
aibom-modelcard-*) — suspicious instructions, missing license/source/eval, and malformed or oversized cards. - Signatures (
aibom-signature-*) — hash mismatches, untrusted OIDC issuers, and missing or malformed signature manifests.
Example —
aibom-pickle-os-system· CRITICAL · CWE-502 A pickle stream references theos.systemglobal, which spawns a shell command on load.
Suppressing findings
Both surfaces respect the same suppression controls (see the CLI reference for details):
- Inline — an
# oxvault:ignoreor// oxvault:ignorecomment on the offending source line, optionally naming a single rule ID. .oxvaultignore— a file in the scanned directory with file globs,!rule-idfor a global rule suppression, orfile:rule-idcombinations.
Suppressed findings are excluded from the report and do not affect the exit code. Run the scanner
with --show-suppressed to list what was filtered.