AgentEscape: How MCP Servers Let AI Agents Read Your Private Keys

> TL;DR: A path traversal vulnerability in context7 (49,000 GitHub stars) allowed any connected AI agent to read arbitrary files from the host machine — including SSH keys, .env secrets, and database credentials. We found it, reported it, and the fix was merged in 6 days. But this isn't an isolated case.

---

The Attack

Here's what an attacker can do to your AI agent right now:

1. Craft a malicious prompt that asks the agent to install a "skill" or "workflow"
2. The agent calls the MCP server's file operation with a path like ../../.ssh/id_rsa
3. No path validation exists — the server reads the file and returns it
4. Your SSH private key is now in the conversation — visible to the attacker

This is not a theoretical attack. This was live code in a project used by tens of thousands of developers.

---

The Discovery

SpiderShield, our open-source MCP security scanner, flagged a path traversal (CWE-22) vulnerability in upstash/context7 — one of the most popular MCP-adjacent projects with 49,000+ GitHub stars.

The vulnerability was in the skill file installation endpoint. The name parameter was used directly in file path construction:

# Simplified — the actual vulnerable pattern
path = SKILLS_DIR / (name + ".yaml")
# name = "../../.ssh/id_rsa" → reads outside the intended directory

No resolve() check. No parent directory validation. No character filtering.

An AI agent connected to this server could be tricked — via prompt injection or a malicious skill — into reading any file on the host machine.

---

What Could Be Stolen

The agent doesn't know it's being exploited. It's just following instructions — reading a "skill file" that happens to be your private key.

---

The Fix

We reported the vulnerability via GitHub Issue #2234 and submitted a fix in PR #2235.

The fix adds path boundary validation:

resolved = path.resolve()
if not resolved.is_relative_to(SKILLS_DIR.resolve()):
    raise ValueError("Path traversal detected")

The PR was reviewed and merged in 6 days. If you're using context7, update to the latest version.

---

This Is Not an Isolated Case

We scanned 15,923 MCP servers with SpiderShield. Path traversal is one of the most common vulnerability patterns:

• 757 servers have token/credential leakage issues
• 36% of all MCP servers scored Grade F (failing)
• Path traversal specifically appears in file operation tools, workflow managers, and skill installers

We've since found and fixed similar vulnerabilities in multiple other projects, submitting 37 pull requests across 28 repositories. 5 have been merged so far, in projects with a combined 86,000+ GitHub stars.

---

Why MCP Servers Are Uniquely Dangerous

Traditional web vulnerabilities require an attacker to find and exploit them directly. MCP server vulnerabilities are different:

The AI agent is the attack vector.

Traditional web app:
  Attacker → finds vulnerability → exploits it

MCP server: Attacker → injects prompt → AI agent exploits the vulnerability for them ```

The agent has legitimate access to the MCP server's tools. The agent trusts the instructions it receives. If those instructions are poisoned — via prompt injection, a malicious tool description, or a compromised upstream skill — the agent becomes an unwitting accomplice.

This means every MCP server vulnerability is amplified by the number of agents connected to it.

---

How to Protect Yourself

Scan your MCP server in 30 seconds:

pip install spidershield
spidershield scan /path/to/your/mcp-server

Or check any server's rating instantly:

spidershield check owner/repo

What to look for in your own code: - Any file operation that takes user/agent input as a path → add resolve() + parent check - Any shell=True in subprocess calls → switch to argument arrays - Any === comparison of secrets/tokens → use crypto.timingSafeEqual()

---

Timeline

---

*All vulnerabilities were responsibly disclosed. The fix was merged before this post was published. SpiderShield is open source and free.*