K
Kilometers
Sign InStart Free
K
Kilometers
Sign InStart Free
Security
Risk analysis guide

Risk Detection & Security Analysis

Kilometers CLI includes client-side risk detection to identify potentially dangerous MCP operations and prioritize security monitoring.

How Risk Detection Works

The CLI analyzes MCP events in real-time using pattern matching, content analysis, and payload size evaluation to assign risk scores from 10 (low) to 100 (critical).

  • Pattern Matching: Detects access to sensitive files and system paths
  • Content Analysis: Identifies dangerous database queries and admin operations
  • Size Analysis: Flags unusually large payloads that may indicate data exfiltration
  • Method Analysis: Evaluates MCP methods by their potential security impact

Risk Levels & Patterns

HIGH RISK (75+)
7 patterns

System files, credentials, and admin operations

Detected Patterns:

/etc/passwd
/etc/shadow
/.ssh/id_rsa
/root/
/etc/sudoers
/proc/
/sys/
MEDIUM RISK (35+)
7 patterns

Environment files, database queries, and sensitive operations

Detected Patterns:

.env
config.json
database.json
/var/log/
SELECT.*FROM.*users
DELETE.*FROM
DROP.*TABLE
LOW RISK (10+)
4 patterns

Standard MCP operations and basic tool usage

Detected Patterns:

tools/call
resources/read
prompts/get
resources/list

MCP Method Risk Assessment

Risk scores vary based on the MCP method and the content being accessed. The same method can have different risk levels depending on the parameters.

resources/readCan access sensitive files
HIGH
tools/callCan execute system operations
HIGH
resources/writeCan modify files
MEDIUM
prompts/getMay expose sensitive prompts
MEDIUM
tools/listList available tools
LOW
resources/listList available resources
LOW
pingBasic connectivity check
LOW

Configuration Examples

Enable Risk Detection

Turn on client-side risk analysis

COMMAND
KM_ENABLE_RISK_DETECTION=true km your-mcp-server

High-Risk Events Only

Only capture events with high risk scores (75+)

COMMAND
KM_HIGH_RISK_ONLY=true km your-mcp-server

Debug Risk Scoring

See risk scores for all events in debug output

COMMAND
KM_DEBUG=true KM_ENABLE_RISK_DETECTION=true km your-mcp-server

Security Monitoring Mode

Complete security-focused configuration

COMMAND
KM_ENABLE_RISK_DETECTION=true \ KM_HIGH_RISK_ONLY=true \ KM_PAYLOAD_SIZE_LIMIT=5120 \ KM_DEBUG=true \ km your-mcp-server

Debug Output Example

When debug mode is enabled with risk detection, you'll see detailed risk analysis:

[km] Captured request: method=resources/read, risk=HIGH(85), size=245
[km] Risk analysis: Pattern match '/etc/passwd' triggered HIGH risk
[km] Captured response: method=resources/read, risk=HIGH(75), size=1024
[km] Filtered request: method=ping, risk=LOW(10), size=32
[km] Successfully sent batch of 2 events to API

Security Best Practices

Recommended Configuration

  • • Enable risk detection for all environments
  • • Use high-risk-only mode for production
  • • Set reasonable payload size limits
  • • Monitor risk score trends over time

Monitoring Alerts

  • • Set up alerts for high-risk events
  • • Monitor unusual payload sizes
  • • Track access to sensitive file patterns
  • • Review risk scores in your dashboard
CLI CommandsEvent Filtering