Oxvault Oxvault

Detection Rules

The 150+ rules the scanner and gateway use, by category, with examples.

Oxvault ships 150+ detection rules across five categories. Every rule the scanner applies statically is also available to the Gateway at runtime, because they share one engine. Findings carry four severities — INFO, WARNING, HIGH, CRITICAL — a confidence level, and (where applicable) a CWE identifier.

CategoryRulesCovers
Source code (SAST)43Command injection, code eval, unsafe deserialization, path traversal, egress
Tool description, arguments & responses37Prompt-injection / tool poisoning, argument injection, credential leakage
Install-hook analysis16Malicious npm lifecycle scripts
Dependency CVE audit10Known-vulnerable MCP packages
Model artifacts (AIBOM)44Pickle, ONNX, safetensors, model cards, signatures

Source code (SAST)

Pattern-based static analysis of Python, JavaScript/TypeScript, and Go source. Detects command injection (os.popen, subprocess(shell=True), child_process.exec, exec.Command), code evaluation (eval, exec, new Function), unsafe deserialization (pickle.load, yaml.load without a safe loader), path traversal, destructive filesystem operations, hardcoded credentials, and outbound network egress. Test files and directories are skipped automatically.

Examplemcp-cmd-injection · CRITICAL · CWE-78 Direct OS command execution, e.g. os.popen(...) / os.system(...).

Tool descriptions, arguments & responses

Rules applied to live MCP traffic: the text of tool descriptions, the arguments of tools/call requests, and the content of server responses.

  • Description poisoning — hidden instruction tags (<IMPORTANT>, <SYSTEM>, <HIDDEN>), invisible Unicode and BiDi overrides, secrecy instructions (“do not tell the user”), prompt overrides (“ignore previous instructions”), sensitive-path references (~/.ssh, ~/.aws), and cross-tool exfiltration hints.
  • Argument injection — shell metacharacters, path traversal, SQL injection, SSRF (169.254.169.254, cloud metadata endpoints, RFC 1918 addresses), LDAP/XML/template/log injection.
  • Response scanning — AWS/OpenAI/GitHub/Stripe keys, private keys, bearer tokens, JWTs, database connection strings, PII, and internal hostnames.

Examplemcp-tool-poisoning · CRITICAL · CWE-1321 A tool description contains a hidden instruction tag such as <IMPORTANT>.

Install-hook analysis

Inspects npm lifecycle scripts (preinstall, install, postinstall) for the ways a package can run arbitrary code at install time — before you ever import it.

Examplemcp-install-hook-pipe-to-shell · CRITICAL An install script pipes a remote download straight into a shell (curl … | sh).

Dependency CVE audit

A built-in database of MCP packages with known CVEs. A dependency at or below the affected version is flagged with its CVE ID, CVSS score, and severity.

Examplemcp-remote ≤ 0.1.15 · CRITICAL · CVE-2025-6514 (CVSS 9.6) OS command injection via the OAuth authorization_endpoint.

Model artifacts (AIBOM)

Rules for ML model files, dispatched by format. Pickle files are disassembled at the opcode level — they are analyzed without being executed.

  • Pickle (aibom-pickle-*) — dangerous globals (os.system, subprocess, eval, runpy), network and filesystem primitives, suspicious REDUCE callables, PyTorch ZIP wrappers, and truncated streams. Known-safe ML globals are downgraded to informational.
  • Safetensors (aibom-safetensors-*) — header overflow, malformed/empty JSON, overlapping tensor offsets, invalid dtypes, and prompt-injection smuggled in metadata.
  • ONNX (aibom-onnx-*) — malformed protobuf, custom/suspicious operator domains, external-data path traversal, oversized initializers, and missing producer metadata.
  • Model cards (aibom-modelcard-*) — suspicious instructions, missing license/source/eval, and malformed or oversized cards.
  • Signatures (aibom-signature-*) — hash mismatches, untrusted OIDC issuers, and missing or malformed signature manifests.

Exampleaibom-pickle-os-system · CRITICAL · CWE-502 A pickle stream references the os.system global, which spawns a shell command on load.

Suppressing findings

Both surfaces respect the same suppression controls (see the CLI reference for details):

  • Inline — an # oxvault:ignore or // oxvault:ignore comment on the offending source line, optionally naming a single rule ID.
  • .oxvaultignore — a file in the scanned directory with file globs, !rule-id for a global rule suppression, or file:rule-id combinations.

Suppressed findings are excluded from the report and do not affect the exit code. Run the scanner with --show-suppressed to list what was filtered.