mpak Trust Framework

An open security standard for MCP server bundles

MTF defines four compliance levels across five security domains, enabling bundle authors, registries, and consumers to establish and verify security guarantees for AI tool extensions.

Read the Spec Get the Scanner

The Problem

MCP servers extend AI assistants with powerful capabilities: filesystem access, network requests, database queries, and code execution. This power creates significant security risk. A malicious or compromised MCP bundle can:

  • Exfiltrate sensitive data from the user's environment
  • Execute arbitrary code with user privileges
  • Serve as a vector for supply chain attacks
  • Poison AI behavior through tool description injection

Compliance Levels

Four levels of increasing security assurance. Start with L1 in minutes, progress to L4 for maximum trust.

L1

Basic

Personal projects, experimentation

Minutes to achieve

  • No embedded secrets
  • No malicious patterns
  • Valid manifest
  • Tool declarations
  • SBOM generation
L2

Standard

Team tools, published packages

< 1 hour to achieve

  • Vulnerability scanning (EPSS/KEV)
  • Dependency pinning
  • Static analysis
  • Author identity
  • Tool description safety
L3

Verified

Production, enterprise use

Days to achieve

  • Cryptographic signing
  • Build attestation (SLSA)
  • Input validation
  • OpenSSF Scorecard
  • Credential scope declaration
L4

Attested

Critical infrastructure

Weeks to achieve

  • Behavioral analysis
  • Reproducible builds
  • Commit linkage
  • Full provenance chain
  • Independent verification

MCP-Specific Security

MTF addresses attack surfaces unique to AI-assisted development that traditional package security tools miss.

Tool Description Poisoning

LLMs treat tool descriptions as trusted instructions. A malicious description can direct AI to exfiltrate data without user awareness.

CD-03

Slopsquatting

Attackers register package names commonly hallucinated by AI coding assistants, targeting AI-generated code rather than human typos.

CQ-06

Credential Blast Radius

MCP servers aggregate OAuth tokens for multiple services. Broad scopes create cascading breach potential across integrated services.

CD-04

Behavioral Mismatch

Dynamic analysis in isolated sandboxes verifies that declared permissions match actual runtime behavior.

CQ-07

Security Domains

SC

Supply Chain

SBOM generation, vulnerability scanning with EPSS/KEV, dependency pinning, license compliance

CQ

Code Quality

Secret detection, malicious pattern scanning, static analysis, behavioral analysis

AI

Artifact Integrity

Manifest validation, content hashes, cryptographic signatures, reproducible builds

PR

Provenance

Source repository linkage, author identity, SLSA build attestation, OpenSSF Scorecard

CD

Capability Declaration

Tool declarations, permission scopes, credential requirements, description safety

Resources

Specification v0.1

Full technical specification with 25 controls across all domains

JSON Schemas

Machine-readable schemas for manifests, reports, and VEX statements

Reference Scanner

Python implementation for automated MTF verification

MCPB Specification

The bundle format that MTF builds upon

mpak Registry

Discover and publish MTF-verified bundles