Ten things to think about before you ship an agent.
Every idea on the marketplace is implicitly an agent design. We run a deterministic classifier over each one and surface the 3 biggest risk categories on the result page. Below: each category, a one-sentence mitigation pointer, and the live ideas that classify there.
This taxonomy is an internal stable shape derived from the OWASP GenAI / MCP working-group efforts. As the upstream spec stabilises we'll publish the cross-reference table — until then treat these codes as a checklist, not a standard.
MCP-1Tool description tampering
1 idea on the marketplaceAn attacker rewrites a tool's description so the LLM mis-uses it. Mitigation: pin tool descriptions, reject runtime mutation.
- DramaLlama Trivia 3000 — Trivia Game based on Telenovelas
MCP-2Cross-server prompt injection
25 ideas on the marketplaceA second MCP server's output reaches the agent's context and steers it. Mitigation: source-tag every tool result, refuse cross-server instructions.
- MirrorSlap 9000 — A desktop productivity agent which tracks what you do in a day and gives you a r…
- PokéBrainrot 9000 — Need Pokémon Trivia Game
- SunBurnedSportsGenius 305 — South Florida Sports Trivia
- OmniGodBot Supreme Ultra Max — What I want to build a agent that can replace all agents kind of a agent that ca…
MCP-3Excessive agency
19 ideas on the marketplaceThe agent has more tool privileges than the user task requires. Mitigation: per-task capability scoping, explicit confirmation for destructive ops.
- MirrorSlap 9000 — A desktop productivity agent which tracks what you do in a day and gives you a r…
- PokéBrainrot 9000 — Need Pokémon Trivia Game
- SunBurnedSportsGenius 305 — South Florida Sports Trivia
- OmniGodBot Supreme Ultra Max — What I want to build a agent that can replace all agents kind of a agent that ca…
MCP-4Inadequate auth / authz
0 ideas on the marketplaceMCP server trusts a caller without verifying identity / scope. Mitigation: signed tokens, per-tool scopes, no implicit shared secrets.
MCP-5Insecure tool composition
19 ideas on the marketplaceChaining tools enables an effect neither alone permits (read+exfiltrate). Mitigation: dataflow review, taint tracking, capability slicing.
- MirrorSlap 9000 — A desktop productivity agent which tracks what you do in a day and gives you a r…
- PokéBrainrot 9000 — Need Pokémon Trivia Game
- SunBurnedSportsGenius 305 — South Florida Sports Trivia
- FilthyQuotemaster 3000 — R rated movie quotes Trivia game
MCP-6Sensitive data exposure
1 idea on the marketplacePII / secrets leak via logs, error messages, or tool inputs. Mitigation: redaction layer, content filter on tool args.
- PlantParenthood 3000 — I keep forgetting to water my plants and they all die
MCP-7Unbounded resource consumption
8 ideas on the marketplaceAn agent loop or tool call consumes runaway tokens / compute. Mitigation: per-session caps, circuit-breakers on tool retries.
- OmniGodBot Supreme Ultra Max — What I want to build a agent that can replace all agents kind of a agent that ca…
- IntelliOps OS: The Dashboard Killer — AI-Native Operating System for a Specific Industry: A modular micro-SaaS platfor…
- MetaAgentMirror 9000 — https://whycantwehaveanagentforthis.vercel.app/
- OmniDesk Phantom — a personalized Agentic ai assitant for professional users that remembers their d…
MCP-8Untrusted output rendering
0 ideas on the marketplaceTool output rendered to the user as HTML / Markdown enables XSS. Mitigation: sanitise on render, never trust tool stdout.
MCP-9Insufficient observability
0 ideas on the marketplaceNo audit trail for tool calls / decisions. Mitigation: structured per-call logs with input/output hashes, retention.
MCP-10Supply-chain compromise
2 ideas on the marketplaceMalicious or impostor MCP server installed via marketplace. Mitigation: signed manifests, reproducible builds, allow-list of providers.
- PokéDex Knows Best 3000 — Pokémon Trivia App
- NiceTriBot 9000 — choke on this https://whycantwehaveanagentforthis.vercel.app/