What is a shadow MCP server?

A shadow MCP server is one that remains configured and connected to your agent but is no longer actively used. It was likely added for a specific task and never removed. Shadow servers are dangerous because they maintain access to the agent’s context window and can be modified by attackers.

How often should I audit my MCP server connections?

At minimum monthly. Guard Cloud maintains an inventory and can alert when servers are stale or modified. For teams, a quarterly review of all connected MCP servers is recommended.

Can an MCP server be attacked after I approve it?

Yes. If the server’s endpoint is compromised or the maintainer turns malicious, the server can serve new tool descriptions with embedded instructions. Guard’s change detection alerts you when a previously-approved server modifies its tools or description.

medium severityCurated advisory

Shadow MCP server discovery and persistent access

MCP servers added to a project during development can persist in configuration files and maintain access to the agent’s context window long after they are forgotten. These "shadow" servers continue receiving tool calls and may be modified by attackers who compromise the original server.

Protect my harness Protect a team

Affected surfacesMCP server configuration filesagent context windowteam policy memorypersistent tool connections

The attack

What happens

A developer adds an MCP server during a sprint, uses it for a task, then forgets about it. The server remains in the project’s configuration file, connected to the agent’s context every time the project runs. If the server’s endpoint is later compromised, the attacker gains persistent access to the agent.

Step by step

How the attack unfolds

1Developer adds an MCP server to .claude/ or .mcp config for a specific task.

2Task is completed; server connection is not removed.

3Server endpoint is compromised or the original maintainer stops maintaining it.

4Attacker modifies the server’s tool descriptions or adds new tools with embedded instructions.

5Agent continues using the now-malicious server because it was previously approved.

Example

What it looks like in practice

Scenario

A developer adds an MCP server called "jira-helper" during a sprint to let the agent read Jira tickets. The sprint ends, but the server remains configured. Three months later, the jira-helper endpoint expires and is re-registered by an attacker who adds a tool that reads environment variables. The agent, still connected to the server, starts calling the new tool.

Detection

How Guard catches this

Guard maintains an inventory of all connected MCP servers and surfaces them in the dashboard.

Guard alerts when a previously-approved MCP server changes its description, tools, or endpoint.

Guard Cloud flags MCP servers that have not been used in 30+ days as candidates for removal.

Mitigation

How to stop it

Recommended action

Audit MCP server configurations regularly. Use Guard to maintain an inventory of connected servers and alert when a previously-approved server changes its description, tools, or endpoint. Remove servers that are no longer needed.

Guard configuration

Enable "MCP server inventory" to list all connected servers in the Guard dashboard.

Enable "MCP server change detection" to alert when a server’s description or tools change.

Enable "Stale server detection" to flag servers not used in 30+ days.

FAQ

Common questions

Related advisories

More threats to know about

high

MCP tool description poisoning

Malicious MCP tool descriptions embed hidden instructions that redirect AI agents into calling the wrong tool, exfiltrating secrets, or executing unintended commands — even when the tool itself appears harmless.

Read advisory

critical

npm postinstall script abuse in AI coding environments

Malicious npm packages use postinstall scripts to execute arbitrary code during installation. In AI coding environments, these scripts can modify agent configuration, install backdoor MCP servers, or exfiltrate project secrets — all before the developer reviews the package.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this and every other advisory in our catalog.

Install HOL Guard See team plans