mcp-security-auditor

On-demand audit of MCP usage. Reads .aura/security/mcp-audit.jsonl, surfaces blocked calls, rate-limit hits, suspicious input patterns. Companion to mcp-call-gate hook (which produces the audit log).

Best use case

mcp-security-auditor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

On-demand audit of MCP usage. Reads .aura/security/mcp-audit.jsonl, surfaces blocked calls, rate-limit hits, suspicious input patterns. Companion to mcp-call-gate hook (which produces the audit log).

Teams using mcp-security-auditor should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/mcp-security-auditor/SKILL.md --create-dirs "https://raw.githubusercontent.com/nguyenthienthanh/aura-frog/main/aura-frog/skills/mcp-security-auditor/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/mcp-security-auditor/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How mcp-security-auditor Compares

Feature / Agentmcp-security-auditorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

On-demand audit of MCP usage. Reads .aura/security/mcp-audit.jsonl, surfaces blocked calls, rate-limit hits, suspicious input patterns. Companion to mcp-call-gate hook (which produces the audit log).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

> **AI-consumed reference.** Optimized for Claude to read during execution.
> Human-readable explanation: see [docs/architecture/HIERARCHICAL_PLANNING.md](../../../docs/architecture/HIERARCHICAL_PLANNING.md)
> or [docs/getting-started/](../../../docs/getting-started/) depending on topic.


# MCP Security Auditor

**STATUS — v3.7.0-rc.1.** Read-only auditor; does not enforce — that's `mcp-call-gate.cjs`'s job.

## Behavior

1. Read `.aura/security/mcp-audit.jsonl` (append-only; produced by `hooks/mcp-call-gate.cjs`)
2. Group entries by:
   - Agent → MCP server → method
   - Time bucket (last 1h / 24h / session)
   - Status (success / blocked / rate-limited)
3. Project to TOON (via `scripts/json-to-toon.cjs --schema generic` or custom fields) — NEVER load raw JSONL into context
4. Surface findings categorized as:
   - **Blocked calls** (`BLOCKED:true`) — deserve investigation
   - **Rate-limit warnings** — soft (80%) or hard (100%) hits
   - **Suspicious patterns** — destructive SQL detected, large output (>10KB), high frequency

## What this skill does NOT do

- Does NOT enforce — `mcp-call-gate.cjs` is the enforcement layer
- Does NOT mutate the audit log (append-only by design)
- Does NOT call MCPs itself (read-only on the audit file)
- Does NOT proxy MCP calls — the gate hook intercepts at PreToolUse
- Does NOT decide policy — `rules/agent/mcp-security-policy.md` is authoritative

## Audit log schema (per spec §23.2)

```jsonl
{"ts":"2026-05-07T...","agent":"architect","mcp":"context7","method":"query","input":{"q":"React hooks"},"output_size_bytes":4521,"latency_ms":234,"success":true}
{"ts":"2026-05-07T...","agent":"backend","mcp":"postgres","method":"query","input":{"sql":"DROP TABLE users"},"BLOCKED":true,"reason":"destructive_op_blocked"}
{"ts":"2026-05-07T...","agent":"frontend","mcp":"figma","method":"download_image","input":{"url":"..."},"success":true,"rate_limit":"80%_warn"}
```

Sanitized input fields per `scripts/security/sanitize-mcp-input.sh`:
- Authorization headers stripped
- Tokens/secrets replaced with `[REDACTED]`
- Content-Length > 1KB → truncated with `... [N more bytes]`

## Output (TOON)

```toon
mcp_audit_summary{window,total_calls,blocked,rate_limit_hits,top_agent,top_mcp}:
  24h,142,3,2,architect,context7

blocked[3]{ts,agent,mcp,reason}:
  2026-05-07T10:30,backend,postgres,destructive_op_blocked
  2026-05-07T11:45,frontend,figma,allowlist_violation
  2026-05-07T12:10,architect,redis,destructive_op_blocked
```

## Retention (per spec §23.2)

`AF_MCP_AUDIT_RETENTION_DAYS=30` (default) — older entries are pruned by a session-start sweep (NOT this skill).

## Tie-Ins

- **Spec:** §9.10, §23 (MCP security)
- **Hook:** `hooks/mcp-call-gate.cjs` — sole writer of `.aura/security/mcp-audit.jsonl`
- **Script:** `scripts/security/sanitize-mcp-input.sh` — sanitization run by the gate before logging
- **Rule:** `rules/agent/mcp-security-policy.md` — authoritative policy
- **Rule:** `rules/agent/db-access-policy.md` — DB-specific subset (architect/tdd-engineer only, read-only default, destructive ops blocked)
- **Command:** `/aura-frog:mcp audit` — primary user-facing entry to this skill
- **Skill:** Reuses `scripts/json-to-toon.cjs` to project the JSONL into context-friendly TOON

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.