MCP Security Audit Gap: 'Initialize' Handshake Response Silently Discarded, Missing Critical Server Capability Analysis

A critical security analysis gap has been identified in the verification process for Model Context Protocol (MCP) servers. The current code in `src/active/verify-mcp.ts` discards the entire `initialize` handshake response—the single richest source of information about a server's attack surface—after only checking if the connection succeeded. This means the system fails to parse and analyze the `capabilities`, `serverInfo`, and `protocolVersion` fields returned by the server, creating a blind spot where dangerous capabilities could be advertised without triggering any security findings.

This oversight is consistent across all three transport paths. In the streamable HTTP path, the code sets an `initializeSucceeded` flag after confirming a `"result"` field exists but never reads the actual `obj["result"]` content. The Server-Sent Events (SSE) path checks for `initResult.success` but never inspects the `initResult.body`. The stdio transport path exhibits the same pattern. The `initialize` response is the definitive declaration of what a server can do, making its omission a significant vulnerability in the security audit chain.

The failure to inspect these fields prevents the system from detecting servers that advertise powerful or dangerous capabilities—such as unrestricted file system access, tool execution, or network calls—without requiring proper authentication. This gap allows potentially malicious or misconfigured MCP servers to pass verification undetected, exposing downstream AI agents and applications to an unassessed risk surface based on the server's self-declared abilities.