> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Framework Coverage

> How q-ai findings map to OWASP MCP Top 10, OWASP Agentic Top 10, MITRE ATLAS, and CWE

All 10 q-ai scanners map 1:1 to [OWASP MCP Top 10](https://owasp.org/www-project-mcp-top-10/) categories. Every `audit scan` runs all scanners by default, or use `--checks` to target specific ones.

## OWASP MCP Top 10

| OWASP ID | Vulnerability                               | Scanner            | Analysis | Coverage notes                                                                                                                       |
| -------- | ------------------------------------------- | ------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| MCP01    | Token Mismanagement & Secret Exposure       | `token_exposure`   | Both     | Checks schemas for sensitive parameter names, scans tool responses and errors for leaked secrets (JWT, API keys, bearer tokens)      |
| MCP02    | Privilege Escalation via Scope Creep        | `permissions`      | Static   | Flags excessive tool counts, dangerous capability categories, unconstrained parameters, high write/execute ratios                    |
| MCP03    | Tool Poisoning                              | `tool_poisoning`   | Static   | Detects embedded instructions, hidden Unicode, homoglyphs, description length anomalies, duplicate/shadowed tools                    |
| MCP04    | Supply Chain & Integrity                    | `supply_chain`     | Both     | Checks server identity, known CVE versions, protocol version currency, tool namespace confusion                                      |
| MCP05    | Command Injection & Execution               | `injection`        | Active   | Injects canary-marked payloads into tool parameters, detects command injection, argument injection (CWE-88), path traversal (CWE-22) |
| MCP06    | Prompt Injection via Contextual Payloads    | `prompt_injection` | Active   | Calls tools with benign inputs, scans responses for injection patterns, hidden Unicode, suspicious URLs, cross-tool manipulation     |
| MCP07    | Insufficient Authentication & Authorization | `auth`             | Active   | Tests unauthenticated enumeration and tool invocation, transport encryption, well-known port exposure                                |
| MCP08    | Lack of Audit & Telemetry                   | `audit_telemetry`  | Both     | Checks server identification, logging capability, error information disclosure, sensitive data in errors                             |
| MCP09    | Shadow MCP Servers                          | `shadow_servers`   | Static   | Analyzes server metadata and tool names for unmanaged/shadow deployment characteristics                                              |
| MCP10    | Context Injection & Over-Sharing            | `context_sharing`  | Both     | Tests for excessive context in responses, session data leakage, error context leakage, resource over-exposure                        |

**Analysis types:**

* **Static** — Analyzes tool schemas, names, and descriptions without invoking any tools. Safe by design.
* **Active** — Calls tools with test inputs and analyzes responses. May trigger side effects on the target server.
* **Both** — Combines static schema analysis with active tool invocation.

<Warning>
  Active scanners invoke tools on the target server. Only scan servers you own, control, or have explicit permission to test.
</Warning>

## Known gaps

| Scanner            | What it tests                                           | What it cannot test                                                              |
| ------------------ | ------------------------------------------------------- | -------------------------------------------------------------------------------- |
| `token_exposure`   | Secret patterns in schemas, responses, and errors       | Secrets stored in server-side memory or logs that are not returned to the client |
| `permissions`      | Tool metadata and schema structure                      | Runtime permission enforcement or dynamic capability changes                     |
| `tool_poisoning`   | Static description and name analysis                    | Dynamic poisoning introduced after initial registration (rug pulls)              |
| `supply_chain`     | Server identity, known CVEs, namespace confusion        | Build pipeline integrity or dependency graph analysis                            |
| `injection`        | Parameter-level command injection with canary detection | Blind injection without observable output, time-based detection                  |
| `prompt_injection` | Injection patterns in tool output content               | Whether injected content actually influences the calling LLM agent               |
| `auth`             | Connection-level authentication and transport security  | Fine-grained authorization policies, CORS, or session management                 |
| `audit_telemetry`  | Server metadata and error response content              | Server-side logging configuration or alerting infrastructure                     |
| `shadow_servers`   | Deployment indicators in metadata                       | Network scanning for undiscovered MCP servers                                    |
| `context_sharing`  | Response content and resource scoping                   | Cross-session isolation or context persistence across reconnections              |

<Note>
  The `inject` module provides deeper testing for MCP03 and MCP06 by measuring actual agent responses to poisoned tools. The `chain` module composes findings across categories into multi-step attack paths.
</Note>

## OWASP Agentic Top 10

All 10 categories of the [OWASP Top 10 for Agentic Applications](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) are mapped. Each audit finding carries `framework_ids` that include the relevant Agentic Top 10 category alongside the MCP Top 10 mapping, providing coverage across both OWASP taxonomies.

## MITRE ATLAS

q-ai maps audit finding categories to [MITRE ATLAS](https://atlas.mitre.org/) technique IDs, connecting MCP-specific vulnerabilities to the broader adversarial ML threat landscape.

`reviewed_against: v5.4.0, last_reviewed: 2026-03-18`

| Category           | ATLAS Technique(s)                  |
| ------------------ | ----------------------------------- |
| command\_injection | AML.T0043, AML.T0050                |
| tool\_poisoning    | AML.T0051.000, AML.T0080, AML.T0099 |
| prompt\_injection  | AML.T0051.000, AML.T0051.001        |
| supply\_chain      | AML.T0010                           |
| auth               | AML.T0012, AML.T0040                |
| token\_exposure    | AML.T0057, AML.T0024                |
| context\_sharing   | AML.T0080, AML.T0085                |
| permissions        | AML.T0054, AML.T0081                |
| shadow\_servers    | AML.T0010, AML.T0049                |
| audit\_telemetry   | AML.T0014, AML.T0007                |

## CWE

q-ai maps audit finding categories to [CWE](https://cwe.mitre.org/) weakness IDs for integration with vulnerability management workflows.

`version: 4.19`

| Category           | CWE(s)                             |
| ------------------ | ---------------------------------- |
| command\_injection | CWE-78, CWE-88, CWE-22             |
| token\_exposure    | CWE-798, CWE-312                   |
| permissions        | CWE-269, CWE-732, CWE-1434         |
| auth               | CWE-287, CWE-306                   |
| prompt\_injection  | CWE-94, CWE-74, CWE-1427           |
| tool\_poisoning    | CWE-94, CWE-74, CWE-1426, CWE-1427 |
| supply\_chain      | CWE-1104, CWE-829                  |
| context\_sharing   | CWE-200, CWE-359, CWE-1426         |
| shadow\_servers    | CWE-345, CWE-346                   |
| audit\_telemetry   | CWE-778, CWE-223                   |

See [Scanner Coverage](/audit/scanners) for per-scanner detail and CLI usage.
