Malicious MCP Research Kit
Runs alongside Confluence's legitimate MCP connector to demonstrate tool abuse patterns such as tool shadowing and rogue secret pull attacks.
Runs alongside Databricks' legitimate MCP connector to demonstrate tool abuse patterns such as tool shadowing and rogue secret pull attacks.
Runs alongside GitHub's legitimate MCP connector to demonstrate tool abuse patterns such as tool shadowing and rogue secret pull attacks.
Runs alongside Jira's legitimate MCP connector to demonstrate tool abuse patterns such as tool shadowing and rogue secret pull attacks.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Malicious MCP Research Kitrun URL exfiltration case"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Malicious MCP Research Kit
A reusable, local-first MCP (Model Context Protocol) attack kit for authorized security research and red teaming.
What it does
The kit provides a malicious FastMCP server that registers realistic-looking tools in an MCP client's tool store. It is built to run alongside legitimate connectors (GitHub, Jira, Confluence, Databricks, and similar) so researchers can demonstrate how agents behave when trusted and untrusted servers share the same session.
Each demonstration is a pluggable case a Python module that registers one or more tools modeling a specific abuse pattern. Cases are loaded dynamically by server.py; you enable only what you need for a given engagement.
The kit also includes:
**listener.py**a local HTTP receiver that logs exfiltrated data from case tools**demo_chains.py**pre-built combinations of cases for multi-step demonstrationsCanary-based proof every engagement uses a unique token (
MCP_KIT_CANARY) so impact is unambiguous on your listener or DNS/SMB logs
No code changes are required on live day. You configure URLs, canaries, and domains via environment variables before the session.
Related MCP server: Vulnerable MCP Server
Attack coverage (9 cases)
# | Case | What it demonstrates |
1 | URL exfiltration | Sensitive data encoded in markdown image/link URLs returned by tools |
2 | DNS exfiltration | Secrets embedded in DNS subdomain labels via resolver lookups |
3 | Toxic agent flow | Hidden instructions in tool output that redirect the agent's behavior |
4 | Rogue secret pull | Tool descriptions that instruct the agent to harvest secrets from other MCP servers |
5 | Tool shadowing | Squatting on familiar tool names/descriptions to displace legitimate connectors |
6 | Token forwarding | Utility tools that solicit connector tokens and session material |
7 | NetNTLM via UNC | Windows UNC paths in tool output that trigger SMB authentication |
8 | Browser access | Reading local browser profiles, cookies, and session files from the MCP host |
9 | File exfiltration | File-sharing style tools that read paths and beacon content to a listener |
Together these cover the main ways MCP expands an agent's attack surface: untrusted tool output, collapsed trust boundaries in a shared registry, and local side effects from the MCP server process.
Who it is for
Security researchers, red teamers, and penetration testers assessing MCP-enabled clients (Cursor, Claude Desktop, enterprise agent platforms) under explicit written authorization.
Authorized use only. Do not deploy against systems you do not own or lack permission to test.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/RohitKulkarni02/malicious_mcp_research_kit'
If you have feedback or need assistance with the MCP directory API, please join our Discord server