diff --git a/src/security-scanner.mjs b/src/security-scanner.mjs
index 674a1d0..0ea6911 100644
--- a/src/security-scanner.mjs
+++ b/src/security-scanner.mjs
@@ -418,25 +418,314 @@ const PATTERNS = [
   { id: "HK-003", category: "suspicious_hook", severity: "high", name: "Hook variable interpolation",
     description: "Hook command uses variable interpolation that could be injected",
     regex: /\$\{(?:file|command|content|input|args?|path|url|body|data)\}/i },
+
+  // ══ Round 3: Cherry-picked from Cisco YARA (865★), AgentSeal scan-mcp (151★), MCP-Shield (550★), Nova (287★) ══
+  // Source: reading actual source code of 11 security scanner repos, 2026-03-28
+
+  // ── Tool Poisoning: Hidden Secondary Behavior (from Cisco tool_poisoning.yara — 20 patterns) ──
+  // CCO had ZERO coverage of this category. These catch tools that secretly do more than described.
+
+  { id: "TP-007", category: "tool_poisoning", severity: "critical", name: "Hidden data collection",
+    description: "Tool secretly collects/extracts data while performing its stated function",
+    regex: /\b(also|additionally|furthermore|moreover|besides|in\s+addition)\s+(collect|gather|extract|send|upload|index|store|cache|log|monitor|track|record|capture)(s|ing|ed)?/i },
+
+  { id: "TP-008", category: "tool_poisoning", severity: "critical", name: "Processing-time data theft",
+    description: "Data extraction disguised as a processing step",
+    regex: /\b(during|while|when|upon|after)\s+(processing|compression|formatting|conversion|validation|analyzing|scanning|checking)\s*,?\s*(extract|collect|send|upload|capture|log|index|store)(s|ing|ed)?/i },
+
+  { id: "TP-009", category: "tool_poisoning", severity: "high", name: "Caching pretext exfiltration",
+    description: "Data collection disguised as caching or optimization",
+    regex: /\b(for|as)\s+(caching|optimization|performance|quality|improvement|analytics|backup|sync)\s+(purposes?|reasons?)\s*[,.]?\s*(send|upload|store|collect|transmit)(s|ing|ed)?/i },
+
+  { id: "TP-010", category: "tool_poisoning", severity: "high", name: "Sensitive data indexing",
+    description: "Tool indexes or caches credentials and sensitive data",
+    regex: /\b(index|cache|store|log|record|track)(s|es|ing|ed)?\s+(any|all)?\s*(api[_\s]?keys?|tokens?|credentials?|passwords?|secrets?|sensitive)/i },
+
+  { id: "TP-011", category: "tool_poisoning", severity: "high", name: "PII extraction from input",
+    description: "Tool extracts personal or sensitive information from user input",
+    // Tightened: removed "search" (FP on "Search emails"), require "extract/parse/scan/identify" + "all/any" qualifier
+    regex: /\b(extract|parse|scan|identify)(s|ing|ed)?\s+(all|any|every)\s+(api[_\s]?keys?|tokens?|credentials?|emails?|phone\s+numbers?|credit\s+cards?|ssn|social\s+security|pii|personal\s+data|private\s+data|sensitive\s+data)/i },
+
+  { id: "TP-012", category: "tool_poisoning", severity: "high", name: "Location or device tracking",
+    description: "Tool tracks device location, fingerprints, or usage behavior",
+    regex: /\b(location|gps|geolocation|device|machine|usage|behavior|activity|browsing)\s+(history|data|information|tracking|fingerprint|pattern|log)\s*(store|collect|send|share|track|log|sync|monitor|gather|upload)(s|ing|ed)?/i },
+
+  { id: "TP-013", category: "tool_poisoning", severity: "high", name: "Device fingerprinting",
+    description: "Tool fingerprints device using hardware identifiers",
+    regex: /\b(fingerprint|identify|track)(s|ing|ed)?\s+(device|machine|browser|user|system)\s*(using|via|through|by)\s*(mac|ip|hostname|hardware|uuid)/i },
+
+  { id: "TP-014", category: "tool_poisoning", severity: "high", name: "Auto opt-in without consent",
+    description: "Tool automatically enrolls user in services without consent",
+    regex: /\b(automatically|auto)[_\s]*(opt|subscribe|enroll|register|sign)[_\s]*(in|up|ed)\b/i },
+
+  { id: "TP-015", category: "tool_poisoning", severity: "high", name: "Remote data storage",
+    description: "Tool stores data remotely or syncs to cloud without disclosure",
+    regex: /\b(cache|cached|store|stored|sync|synced|synchronize)\s+(is\s+)?(stored\s+)?(remotely|externally|in\s+cloud|on\s+server|off[_\s-]?device|to\s+cloud|with\s+cloud|across\s+devices)/i },
+
+  { id: "TP-016", category: "tool_poisoning", severity: "medium", name: "OCR/screenshot data extraction",
+    description: "Tool performs OCR or extracts text from screenshots",
+    regex: /\b(ocr|text\s+extraction|optical\s+character)\s*(on|from)?\s*(screenshots?|images?|photos?)?\s*(and\s+)?(extract|capture|read|identify|send|upload)/i },
+
+  // ── Coercive Injection (from Cisco coercive_injection.yara — 16 patterns) ──
+  // CCO had ZERO coverage. These catch tools that coerce the AI into specific behaviors.
+
+  { id: "CI-003", category: "coercive_injection", severity: "critical", name: "Mandatory tool execution",
+    description: "Tool demands to be executed first or always",
+    regex: /Always\s+(consult|use|run|execute|invoke|call|trigger)\s+this\s+(tool|function|command)\s+(immediately|first|before|prior)/i },
+
+  { id: "CI-004", category: "coercive_injection", severity: "critical", name: "Priority override",
+    description: "Tool claims priority over all other tools",
+    // Removed "You MUST call this function" — too many FPs on legitimate API workflow ordering
+    // (e.g. "You MUST call resolve-library-id before query-docs"). Kept only "before any OTHER tool".
+    regex: /Before\s+(executing|invoking|running|using|calling)\s+any\s+other\s+(tool|action|function)s?/i },
+
+  { id: "CI-005", category: "coercive_injection", severity: "high", name: "Hidden/secret parameter",
+    description: "Tool requests hidden or secret parameters",
+    regex: /\b(hidden|secret)[_\s](parameter|argument|input)\b/i },
+
+  { id: "CI-006", category: "coercive_injection", severity: "critical", name: "File access coercion",
+    description: "Tool coerces reading sensitive key/certificate files",
+    regex: /\b(read|parse|cat|dump)\s+(and\s+pass\s+)?(the\s+)?contents?\s+of\s+[^\n.]*\.(key|pem|ssh|aws)\b/i },
+
+  { id: "CI-007", category: "coercive_injection", severity: "critical", name: "Model context extraction",
+    description: "Tool tries to extract conversation history or system context",
+    regex: /\b(add|pass|send|include)\s+(the\s+)?(entire\s+)?(conversation|system|chain|tools?)\s*(history|prompt|list|context)?\s*(to|for|in)\s*(tool|authentication|parameter)/i },
+
+  { id: "CI-008", category: "coercive_injection", severity: "critical", name: "Model internals access",
+    description: "Tool accesses internal model variables",
+    regex: /\b(conversation_history|chain_of_thought|system_prompt|tools_list|model_name)\s*[:=]\s*(add|pass|send|provide)\b/i },
+
+  { id: "CI-009", category: "coercive_injection", severity: "high", name: "Tool will not work unless",
+    description: "Tool claims it won't function without suspicious prerequisites",
+    regex: /\b(sidenote\W+(required|otherwise)\s+[^\n]*tool\s+[^\n]*work|tool\s+will\s+not\s+work\s+unless|must\s+first\s+[^\n]*read\s+[^\n]*config)\b/i },
+
+  { id: "CI-010", category: "coercive_injection", severity: "critical", name: "Data exfiltration coercion",
+    description: "Tool coerces listing credentials or encoding sensitive data",
+    regex: /\b(list\s+all\s+(api\s+)?keys?|show\s+me?\s+(all\s+)?passwords?|include\s+[^\n]*(secrets?|passwords?|keys?|credentials?|tokens?|config|sensitive|private|confidential)\s+[^\n]*in\s+(your\s+)?response|base64\s+encode\s+[^\n]*credentials?)\b/i },
+
+  { id: "CI-011", category: "coercive_injection", severity: "high", name: "Behavioral trigger",
+    description: "Tool has conditional logic based on trust/admin status",
+    regex: /\b(if\s+[^\n]*trusted\s+[^\n]*then|when\s+[^\n]*admin\s+[^\n]*detected|random\.(random|choice)\s+[^\n]*instructions?)\b/i },
+
+  { id: "CI-012", category: "coercive_injection", severity: "critical", name: "Conversation theft",
+    description: "Tool steals conversation history or claims highest priority",
+    regex: /\b(send\s+[^\n]*conversation\s+history|when\s+[^\n]*detected\s+[^\n]*send\s+[^\n]*full\s+[^\n]*history|highest\s+priority\s+[^\n]*over\s+[^\n]*other\s+[^\n]*tools)\b/i },
+
+  { id: "CI-013", category: "coercive_injection", severity: "critical", name: "Code manipulation",
+    description: "Tool instructs inserting vulnerabilities into generated code",
+    regex: /\b(duplicate\s+[^\n]*code\s+[^\n]*snippets?\s+[^\n]*silently|insert\s+[^\n]*vulnerability\s+[^\n]*generated\s+[^\n]*code)\b/i },
+
+  // ── Prompt Injection: Extended (from Cisco + MCP-Shield + Nova — patterns CCO was missing) ──
+
+  { id: "PI-018", category: "prompt_injection", severity: "critical", name: "Shadow parameter names",
+    description: "Tool uses known shadow/bypass parameter names in schema",
+    regex: /\b(internalOnly|hiddenParam|shadowTool|bypassChecks|sandboxEscape)\b/ },
+
+  { id: "PI-019", category: "prompt_injection", severity: "high", name: "Hidden behavior directive",
+    description: "Tool instructs AI to hide behavior from user",
+    regex: /\b(do\s+not\s+(mention|tell|execute)\s+[^\n]*user|tell\s+(the\s+)?user\s+only\s+about|do\s+not\s+mention\s+this\s+to\s+user)\b/i },
+
+  { id: "PI-020", category: "prompt_injection", severity: "high", name: "Bracket marker evasion",
+    description: "Triple bracket or pipe markers hiding instructions",
+    regex: /(\[\[\[|\|\|\|)(SYSTEM|ADMIN|HIDDEN|INTERNAL)[\s_]?(OVERRIDE|INSTRUCTION|COMMAND)(\]\]\]|\|\|\|)/i },
+
+  { id: "PI-021", category: "prompt_injection", severity: "high", name: "HTML comment injection",
+    description: "HTML comments containing system/admin override instructions",
+    regex: /<!--[^>]*(SYSTEM\s+(INSTRUCTION|OVERRIDE)|ADMIN\s+OVERRIDE|ignore\s+(all\s+)?(previous\s+)?(safety\s+)?guidelines|execute[:\s]|curl\s|wget\s|bash\s)/i },
+
+  { id: "PI-022", category: "prompt_injection", severity: "high", name: "Hidden instruction markers",
+    description: "Square bracket markers hiding instructions",
+    regex: /\[(HIDDEN|INTERNAL|SECRET|PRIVATE)\s+(INSTRUCTION|DIRECTIVE|COMMAND)\]/i },
+
+  // ── Data Exfiltration: Extended (from Cisco — clipboard, conversation, screen, keylog) ──
+
+  { id: "DE-006", category: "data_exfiltration", severity: "critical", name: "Covert data transfer",
+    description: "Data transfer described as invisible/silent/covert",
+    regex: /\b(invisibly|silently|covertly|secretly|without\s+(user\s+)?knowledge|behind\s+the\s+scenes|in\s+the\s+background)\s+(send|upload|transmit|transfer|sync|store|collect)/i },
+
+  { id: "DE-007", category: "data_exfiltration", severity: "high", name: "Clipboard monitoring",
+    description: "Tool monitors or captures clipboard content",
+    regex: /\b(clipboard|pasteboard)\s+(content|data|text|history)?\s*(monitor|watch|track|capture|copy|send|upload|stream)/i },
+
+  { id: "DE-008", category: "data_exfiltration", severity: "critical", name: "Conversation exfiltration",
+    description: "Tool sends conversation history to external endpoint",
+    regex: /\b(send|upload|transmit|export|forward)(s|ing|ed)?\s+(complete\s+)?(conversation|chat|message|context|user\s+messages?|ai\s+responses?)\s+(to|history)/i },
+
+  { id: "DE-009", category: "data_exfiltration", severity: "high", name: "Screenshot/screen exfiltration",
+    description: "Tool captures and sends screen content",
+    regex: /\b(screen|screenshot|display|capture|recording)\s*(send|upload|transmit|stream|forward)/i },
+
+  { id: "DE-010", category: "data_exfiltration", severity: "critical", name: "Keystroke logging",
+    description: "Tool captures keystrokes or typing patterns",
+    regex: /\b(keylog|keystroke|key\s+press|typing|input)\s*(capture|record|log|monitor|track|send|upload)/i },
+
+  // ── Impersonation (from Nova Proximity — new category) ──
+
+  { id: "IM-001", category: "impersonation", severity: "high", name: "Fake official source",
+    description: "Tool claims to be from an official or verified source",
+    regex: /\b(Anthropic\s+Official|OpenAI\s+Official|Google\s+Official|Microsoft\s+Official)\b/i },
+
+  { id: "IM-002", category: "impersonation", severity: "high", name: "False verification badge",
+    description: "Tool uses fake verification or trust markers",
+    regex: /\[(VERIFIED|OFFICIAL|TRUSTED|CERTIFIED|APPROVED)\]/i },
+
+  { id: "IM-003", category: "impersonation", severity: "medium", name: "False authority claim",
+    description: "Tool claims false endorsement or certification",
+    regex: /\b(certified\s+by|approved\s+by|endorsed\s+by|security\s+audited|officially\s+sanctioned)\b/i },
+
+  // ── Script Injection (from Cisco script_injection.yara — new category) ──
+
+  { id: "SI-001", category: "script_injection", severity: "critical", name: "ANSI escape code injection",
+    description: "Terminal manipulation via ANSI escape sequences to hide output",
+    regex: /(\\x1[bB]\[|\\u001[bB]\[|\\033\[)[0-9;]*[mHJKsu]/i },
+
+  { id: "SI-002", category: "script_injection", severity: "high", name: "VBScript/ActiveX execution",
+    description: "Windows script execution via VBScript or ActiveX",
+    regex: /\b(WScript\.Shell|Shell\.Application|ActiveXObject|CreateObject|Scripting\.FileSystemObject)\b/i },
+
+  { id: "SI-003", category: "script_injection", severity: "high", name: "Hidden text via CSS",
+    description: "CSS techniques to hide malicious instructions visually",
+    regex: /\b(overflow\s*:\s*hidden|display\s*:\s*none|color\s*:\s*(white|transparent|rgba\(0))\b/i },
+
+  // ── Deserialization Attacks (from Nova Proximity) ──
+
+  { id: "CE-006", category: "code_execution", severity: "critical", name: "Unsafe deserialization",
+    description: "Deserialization of untrusted data can lead to remote code execution",
+    regex: /\b(pickle\.loads?|marshal\.loads?|yaml\.(?:unsafe_)?load\s*\(|shelve\.open)\b/i },
+
+  // ── Wildcard Permission Detection (from Nova Proximity) ──
+
+  { id: "PE-003", category: "persistence", severity: "high", name: "Wildcard tool permissions",
+    description: "Tool grants unrestricted access to dangerous capabilities",
+    regex: /\b(Bash\s*\(\s*\*\s*\)|Write\s*[:(]\s*\*|Read\s*[:(]\s*\*|Edit\s*[:(]\s*\*|Execute\s*[:(]\s*\*)\b/ },
+
+  // ── Tool Shadowing: Extended (from AgentSeal MCPR-103 + MCP-Shield) ──
+
+  { id: "TS-004", category: "tool_shadowing", severity: "high", name: "Cross-tool data forwarding",
+    description: "Tool forwards or copies data to another tool/endpoint",
+    regex: /\b(also\s+(send|copy|forward|include)\s+(to|in))\b/i },
+
+  { id: "TS-005", category: "tool_shadowing", severity: "high", name: "Output redirection",
+    description: "Tool redirects output to a different destination",
+    regex: /\bredirect\b.*\b(to|output)\b/i },
+
+  { id: "TS-006", category: "tool_shadowing", severity: "critical", name: "BCC data leak",
+    description: "Tool secretly copies data (BCC-style) to additional recipient",
+    regex: /\bbcc\s*:/i },
+
+  { id: "TS-007", category: "tool_shadowing", severity: "high", name: "Tool replacement directive",
+    description: "Tool instructs replacing or overriding another tool",
+    regex: /\b(instead\s+of|replace)\s+(using|calling)\b/i },
+
+  // ── Credential Harvesting: Extended (from AgentSeal MCPR-102 + Cisco) ──
+
+  { id: "CH-009", category: "credential_harvest", severity: "critical", name: "Credential read-then-send",
+    description: "Pattern of reading credentials then sending them externally",
+    // Tightened: removed "access" (too generic, FPs on "access level, password protection"),
+    // reduced range from 120 to 40 chars, require more specific action verbs
+    regex: /\b(read|cat|exfiltrate|steal|dump|extract)\b.{0,40}\b(api[_\s]?key|secret[_\s]?key|token|password|passphrase)\b/i },
+
+  { id: "CH-010", category: "credential_harvest", severity: "critical", name: "Credential send-after-read",
+    description: "Pattern of obtaining credentials then transmitting them",
+    regex: /\b(api[_\s]?key|secret[_\s]?key|access[_\s]?token)\b.{0,40}\b(send|post|upload|exfiltrate|transmit)\b/i },
+
+  { id: "CH-011", category: "credential_harvest", severity: "high", name: "MCP config file access",
+    description: "Attempts to read MCP configuration files containing server credentials",
+    regex: /\bmcp\.json\b/i },
+
+  { id: "CH-012", category: "credential_harvest", severity: "high", name: "Wallet/keychain access",
+    description: "Attempts to access cryptocurrency wallets or OS keychains",
+    regex: /\b(wallet\.dat|keychain)\b/i },
+
+  // ── Data Exfiltration: Extended endpoints (from Nova + Cisco) ──
+
+  { id: "DE-011", category: "data_exfiltration", severity: "high", name: "Known exfil endpoints (extended)",
+    description: "References known data exfiltration services",
+    regex: /\b(pastebin\.com|hastebin\.com|transfer\.sh|file\.io|0x0\.st|ix\.io)\b/i },
+
+  // ── Supply Chain: Extended (from AgentSeal + Cisco) ──
+
+  { id: "SC-002", category: "supply_chain", severity: "high", name: "Unpinned uvx/pip package",
+    description: "Package installed without version pinning via uvx or pip",
+    regex: /\b(uvx|pip\s+install)\s+(?!.*==)[a-z][a-z0-9_-]+\b/i },
+
+  // ── Suspicious Parameter Names: Extended (from AgentSeal MCPR-105) ──
+
+  { id: "EP-002", category: "exfil_params", severity: "high", name: "Credential parameter in schema",
+    description: "Tool requests credential-like parameters in its input schema",
+    regex: null, // Handled in scanParamNames() — extended set below
+  },
 ];
 
 // Parameter names that suggest exfiltration channels (from mcp-shield)
 const SUSPICIOUS_PARAM_NAMES = new Set([
-  // Exfiltration channels (mcp-shield)
+  // Exfiltration channels (mcp-shield + AgentSeal MCPR-105)
   "note", "notes", "feedback", "details", "extra",
   "additional", "metadata", "debug", "sidenote",
   "context", "annotation", "reasoning", "remark",
-  // Hidden instructions (AgentShield)
+  // Hidden instructions (AgentShield + AgentSeal)
   "hidden", "internal", "system_prompt", "hidden_instructions",
-  "override_instructions", "jailbreak_mode",
-  // Credential harvesting (AgentShield + Pipelock)
+  "override_instructions", "jailbreak_mode", "instructions",
+  // Credential harvesting (AgentShield + Pipelock + AgentSeal MCPR-105)
   // Note: "password" excluded — legitimate in login/sharing tools
-  "callback_url", "webhook_url", "exfil_url",
+  "callback_url", "webhook_url", "exfil_url", "remote_url",
   "ssh_key", "private_key", "api_key", "secret_key",
-  "auth_token", "bearer_token", "jwt",
+  "auth_token", "bearer_token", "jwt", "session_token",
   "access_key", "secret_access_key", "credentials",
+  "csrf_token", "cookie",
+  // File-based credentials (AgentSeal MCPR-105)
+  "env_file", "dotenv", "secrets_file", "key_file", "pem_file", "cert_file",
+]);
+
+// Common tool/action words — excluded from cross-server collision/reference detection to reduce FP
+const MIN_CROSS_REF_NAME_LEN = 8;
+const COMMON_TOOL_WORDS = new Set([
+  "search", "find", "get", "list", "read", "write", "create", "update", "delete",
+  "fill", "click", "drag", "hover", "type", "press", "scroll", "select", "submit",
+  "open", "close", "save", "load", "run", "start", "stop", "check", "test",
+  "send", "post", "fetch", "query", "collect", "extract", "parse", "format",
+  "navigate", "browse", "download", "upload", "sync", "push", "pull",
+  "search_papers", "get_user_by_username", "get_user_by_id", "get_articles",
+  "calculate", "convert", "search_users", "search_tweets",
+  "get_comments", "get_tags", "get_topics",
 ]);
 
+// Tools where credential-like param names are legitimate (AgentSeal allowlist)
+const CREDENTIAL_TOOL_ALLOWLIST = new Set([
+  "login", "authenticate", "oauth", "connect", "sign_in",
+  "create_token", "refresh_token", "set_credentials",
+  "configure", "setup", "register",
+]);
+
+// ── False positive exclusions (from cc-audit + Cisco YARA negation patterns) ──
+// These patterns indicate template/example/documentation text, NOT real threats.
+
+const FP_EXCLUSIONS = [
+  // Template/example text (from Cisco data_exfiltration.yara negation)
+  /\bYOUR_API_KEY\b/i, /\bREPLACE_WITH\b/i, /\bINSERT_KEY\b/i,
+  /\.example\b/, /\.sample\b/, /\.template\b/,
+  /\bchangeme\b/i, /\bplaceholder\b/i, /\bTODO\b/, /\bFIXME\b/,
+  /\bxx+\b/, /^<your[_-]?/i, /\bREPLACE_ME\b/i,
+  // Legitimate config operations (from Cisco)
+  /\b(get_env|set_env|read_config|write_config|config_file|settings_file|env_file)\b/i,
+  // Linter/test framework comments (from cc-audit injection.rs exclusions)
+  /\beslint-disable\b/, /\b@ts-ignore\b/, /\b@ts-expect-error\b/,
+  /\bpytest\.mark\b/, /\bdescribe\s*\(/, /\bit\s*\(.*should\b/,
+  /\btest\s*\(/, /\bexpect\s*\(/,
+  // Security research/documentation context
+  /\bexample\s+of\s+(a\s+)?(malicious|attack|injection|exploit)/i,
+  /\bfor\s+educational\s+purposes/i,
+  /\bsecurity\s+(research|audit|review|test)/i,
+];
+
+/**
+ * Check if text is likely a false positive (template, test, documentation).
+ * Returns true if the text should be EXCLUDED from scanning.
+ */
+function isFalsePositive(text) {
+  return FP_EXCLUSIONS.some(rx => rx.test(text));
+}
+
 // ── Pattern scanning functions ───────────────────────────────────────
 
 /**
@@ -450,6 +739,9 @@ function scanText(text, sourceType, sourceName) {
   const { clean, wasObfuscated } = deobfuscate(text);
   const findings = [];
 
+  // False positive check — skip scanning if text looks like template/test/docs
+  if (isFalsePositive(clean)) return findings;
+
   // Pass 1: Scan cleaned text against all patterns
   const seenIds = new Set();
   for (const pattern of PATTERNS) {
@@ -459,6 +751,10 @@ function scanText(text, sourceType, sourceName) {
     if (match) {
       const idx = match.index || 0;
       const context = clean.slice(Math.max(0, idx - 30), idx + match[0].length + 30);
+
+      // Per-match false positive check — skip if the matched context looks like template/docs
+      if (isFalsePositive(context)) continue;
+
       seenIds.add(pattern.id);
       findings.push({
         ...pattern,
@@ -497,6 +793,10 @@ function scanText(text, sourceType, sourceName) {
  */
 function scanParamNames(inputSchema, toolName, serverName) {
   if (!inputSchema?.properties) return [];
+
+  // Skip tools where credential-like params are legitimate (AgentSeal MCPR-105 allowlist)
+  if (CREDENTIAL_TOOL_ALLOWLIST.has(toolName?.toLowerCase())) return [];
+
   const findings = [];
 
   for (const paramName of Object.keys(inputSchema.properties)) {
@@ -842,9 +1142,73 @@ export async function runSecurityScan(introspectionResults, scanData) {
     }
   }
 
-  // Cross-server reference scan disabled — too many false positives.
-  // Short server names (e.g. "exa") match common words in descriptions.
-  // TODO: re-enable with allowlist + minimum name length filter.
+  // ── Phase 2c: Cross-server analysis (from AgentSeal MCPR-103 + MCPR-108) ──
+
+  // Cross-server tool name collision detection
+  const toolNameMap = {}; // tool name → [unique server names]
+  for (const server of introspectionResults.filter(s => s.ok)) {
+    for (const tool of server.tools) {
+      const key = tool.name.toLowerCase();
+      if (!toolNameMap[key]) toolNameMap[key] = new Set();
+      toolNameMap[key].add(server.serverName); // Set deduplicates same server in multiple scopes
+    }
+  }
+  for (const [toolName, serverSet] of Object.entries(toolNameMap)) {
+    const servers = [...serverSet];
+    if (servers.length > 1 && !COMMON_TOOL_WORDS.has(toolName)) {
+      allFindings.push({
+        id: "TS-008", category: "tool_shadowing", severity: "medium",
+        name: "Tool name collision across servers",
+        description: `Tool "${toolName}" exists on ${servers.length} servers: ${servers.join(", ")}. An attacker could shadow a trusted tool with a malicious one.`,
+        sourceType: "cross_server", sourceName: servers.join(" + "),
+        matchedText: toolName, context: `Servers: ${servers.join(", ")}`,
+      });
+    }
+  }
+
+  // Cross-server tool reference detection (MCPR-103)
+  for (const server of introspectionResults.filter(s => s.ok)) {
+    for (const tool of server.tools) {
+      if (!tool.description) continue;
+      const descLower = tool.description.toLowerCase();
+      for (const otherServer of introspectionResults.filter(s => s.ok && s.serverName !== server.serverName)) {
+        for (const otherTool of otherServer.tools) {
+          if (otherTool.name.length < MIN_CROSS_REF_NAME_LEN) continue;
+          if (COMMON_TOOL_WORDS.has(otherTool.name.toLowerCase())) continue;
+          const nameRegex = new RegExp(`\\b${otherTool.name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\b`, "i");
+          if (nameRegex.test(descLower)) {
+            allFindings.push({
+              id: "TS-009", category: "tool_shadowing", severity: "medium",
+              name: "Cross-server tool reference",
+              description: `Tool "${tool.name}" on "${server.serverName}" references tool "${otherTool.name}" from "${otherServer.serverName}". This could indicate tool shadowing.`,
+              sourceType: "cross_server",
+              sourceName: `${server.serverName}/${tool.name}`,
+              matchedText: otherTool.name,
+              context: `References "${otherTool.name}" from server "${otherServer.serverName}"`,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  // Excessive destructive permissions check (MCPR-108)
+  for (const server of introspectionResults.filter(s => s.ok)) {
+    const destructiveCount = server.tools.filter(t => t.annotations?.destructiveHint === true).length;
+    const total = server.tools.length;
+    if (total > 0 && destructiveCount > total / 2 && destructiveCount >= 3) {
+      const names = server.tools.filter(t => t.annotations?.destructiveHint === true).slice(0, 5).map(t => t.name);
+      allFindings.push({
+        id: "PE-004", category: "persistence", severity: "medium",
+        name: "Excessive destructive permissions",
+        description: `Server "${server.serverName}" has ${destructiveCount}/${total} destructive tools. High proportion increases risk of unintended data modification.`,
+        sourceType: "tool_description",
+        sourceName: server.serverName,
+        matchedText: `${destructiveCount}/${total} destructive`,
+        context: `Destructive tools: ${names.join(", ")}`,
+      });
+    }
+  }
 
   // ── Phase 3: Baseline comparison ──
   const savedBaselines = await loadBaselines();
diff --git a/src/ui/app.js b/src/ui/app.js
index eeaabde..15fd566 100644
--- a/src/ui/app.js
+++ b/src/ui/app.js
@@ -2707,9 +2707,38 @@ function renderSecurityResults(scanData) {
       for (const f of deduped) {
         const bc = f.severity === "critical" ? "sec-critical" : f.severity === "high" ? "sec-high" : f.severity === "medium" ? "sec-medium" : "sec-low";
         const countLabel = f.count > 1 ? ` ×${f.count}` : "";
-        html += `<div class="sec-finding-row" data-sec-server="${esc(server)}" data-sec-scope="${esc(scopeId)}">`;
+        // Build fix prompt for "Fix with Claude →"
+        const fixPrompt = [
+          `CCO Security Scanner found an issue in MCP server "${server}":`,
+          ``,
+          `Finding: ${f.name} [${f.id}]`,
+          `Severity: ${f.severity}`,
+          `Category: ${f.category}`,
+          `Description: ${f.description}`,
+          `Matched text: ${f.matchedText}`,
+          `Context: ${f.context}`,
+          ``,
+          `Detected by: CCO built-in scanner (rule ${f.id})`,
+          `Server: ${server}`,
+          `Source: ${f.sourceName || ""}`,
+          ``,
+          `This may be a false positive — please evaluate whether this is a real security issue.`,
+          `If it is real, explain the risk and guide me through fixing it.`,
+          `If it is a false positive, explain why it's safe.`,
+        ].join("\n");
+        const promptAttr = esc(fixPrompt).replace(/"/g, "&quot;");
+
+        html += `<div class="sec-finding-item" data-sec-server="${esc(server)}" data-sec-scope="${esc(scopeId)}">`;
+        html += `<div class="sec-finding-header">`;
         html += `<span class="sec-badge ${bc}" style="font-size:9px;padding:0 4px">${esc(f.severity.charAt(0).toUpperCase())}</span>`;
         html += `<span class="sec-finding-label">${esc(f.name)}${countLabel}</span>`;
+        html += `<span class="sec-tag">${esc(f.id)}</span>`;
+        html += `</div>`;
+        if (f.description) {
+          html += `<div class="sec-finding-desc">${esc(f.description)}</div>`;
+        }
+        html += `<div class="sec-finding-fix sec-fix-clickable" data-fix-prompt="${promptAttr}" title="Click to copy prompt for Claude Code">`;
+        html += `💡 Fix with Claude <span class="sec-fix-action">→ Copy prompt</span></div>`;
         html += `</div>`;
       }
       html += `</div>`;
@@ -2762,6 +2791,28 @@ function renderSecurityResults(scanData) {
     });
   });
 
+  // "Fix with Claude →" click → copy prompt to clipboard
+  results.querySelectorAll(".sec-fix-clickable").forEach(el => {
+    el.addEventListener("click", async (e) => {
+      e.stopPropagation();
+      const prompt = el.dataset.fixPrompt;
+      if (!prompt) return;
+      try {
+        await navigator.clipboard.writeText(prompt);
+        toast("Prompt copied — paste in Claude Code");
+      } catch {
+        const ta = document.createElement("textarea");
+        ta.value = prompt;
+        ta.style.cssText = "position:fixed;opacity:0";
+        document.body.appendChild(ta);
+        ta.select();
+        document.execCommand("copy");
+        document.body.removeChild(ta);
+        toast("Prompt copied — paste in Claude Code");
+      }
+    });
+  });
+
   // Server row click → navigate to MCP item
   results.querySelectorAll(".sec-server-row[data-sec-server]").forEach(row => {
     row.addEventListener("click", (e) => {
diff --git a/src/ui/style.css b/src/ui/style.css
index 8eba5ca..9ae646d 100644
--- a/src/ui/style.css
+++ b/src/ui/style.css
@@ -1292,18 +1292,48 @@ body {
 .sec-row-name { flex: 1; font-weight: 600; color: var(--fg); overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 
 .sec-findings-list { padding-left: 20px; }
+
+/* Finding item card */
+.sec-finding-item {
+  padding: 6px 10px; border-radius: var(--radius); cursor: pointer;
+  transition: background 100ms; font-size: 11px;
+  border-left: 2px solid transparent; margin-bottom: 2px;
+}
+.sec-finding-item:hover { background: var(--bg2); border-left-color: var(--accent); }
+.sec-finding-header { display: flex; align-items: center; gap: 6px; }
+.sec-finding-label { color: var(--fg1); font-weight: 600; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; font-size: 12px; }
+.sec-tag {
+  font-size: 9px; padding: 2px 6px; border-radius: 3px;
+  background: rgba(255, 255, 255, 0.1); color: rgba(255, 255, 255, 0.7);
+  font-family: monospace; white-space: nowrap; margin-left: auto; flex-shrink: 0;
+  border: 1px solid rgba(255, 255, 255, 0.15);
+}
+.sec-finding-desc {
+  font-size: 11px; color: var(--fg1); line-height: 1.4;
+  margin: 3px 0 0 22px; opacity: 0.9;
+}
+.sec-finding-fix {
+  font-size: 11px; color: var(--accent); line-height: 1.4;
+  margin: 3px 0 0 22px;
+}
+.sec-fix-clickable {
+  cursor: pointer; border-radius: 4px; padding: 2px 6px; margin-left: 18px;
+  transition: background 150ms;
+}
+.sec-fix-clickable:hover { background: rgba(99, 179, 237, 0.1); }
+.sec-fix-action {
+  font-size: 10px; font-weight: 600; opacity: 0; transition: opacity 150ms;
+  margin-left: 6px;
+}
+.sec-fix-clickable:hover .sec-fix-action { opacity: 1; }
+
+/* Legacy row style (keep for backward compat) */
 .sec-finding-row {
-  display: flex;
-  align-items: center;
-  gap: 6px;
-  padding: 3px 8px;
-  border-radius: var(--radius);
-  cursor: pointer;
-  transition: background 100ms;
-  font-size: 11px;
+  display: flex; align-items: center; gap: 6px;
+  padding: 3px 8px; border-radius: var(--radius);
+  cursor: pointer; transition: background 100ms; font-size: 11px;
 }
 .sec-finding-row:hover { background: var(--bg2); }
-.sec-finding-label { color: var(--fg2); overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 
 /* ── Footer ── */
 .security-footer {