Skip to main content
Glama

MCP Goat

A deliberately vulnerable MCP (Model Context Protocol) application for learning MCP security through hands-on exercises. Inspired by AndroGoat, OWASP WebGoat, and other vulnerable applications. MCP Goat covers all 10 categories of the OWASP MCP Top 10.

WARNING: This application contains intentionally vulnerable servers. Do NOT expose to untrusted networks. For educational use only.

Quick Start

# Clone the repo
git clone https://github.com/satishpatnayak/MCP-Goat.git
cd MCP-Goat

# Create virtual environment and install
uv venv && source .venv/bin/activate && uv pip install -e .
# OR without uv:
python3 -m venv .venv && source .venv/bin/activate && pip install -e .

# List all challenges
mcp-goat list

# Start a vulnerable server
mcp-goat run mcp01-c01

# View guided exercise instructions
mcp-goat exercise mcp01-c01

# Get LLM client config snippet
mcp-goat config mcp01-c01

Related MCP server: Vulnerable MCP Server

How It Works

  1. Choose a challenge from the list (mcp-goat list)

  2. Read the exercise (mcp-goat exercise <id>) to understand the vulnerability

  3. Start the vulnerable server (mcp-goat run <id>)

  4. Connect your LLM client (Claude Desktop, Cursor, LM Studio, MCP Inspector)

  5. Explore and exploit the vulnerability following the guided steps

  6. Learn the mitigations from the solution section

Connecting to Your LLM Client

Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-goat": {
      "command": "/full/path/to/mcp-goat/.venv/bin/mcp-goat",
      "args": ["run", "mcp01-c01"]
    }
  }
}

Cursor

Go to Settings → Cursor Settings → MCP → Add new MCP Server, or edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "mcp-goat": {
      "command": "/full/path/to/mcp-goat/.venv/bin/mcp-goat",
      "args": ["run", "mcp01-c01"]
    }
  }
}

Important: Use the full path to mcp-goat inside the .venv/bin/ directory. LLM clients don't activate virtual environments, so the bare mcp-goat command won't work.

To get your full path, run: echo "$(pwd)/.venv/bin/mcp-goat"

MCP Inspector

npx @modelcontextprotocol/inspector mcp-goat run mcp01-c01

Challenges

Category

ID

Title

Difficulty

MCP01 — Token Mismanagement & Secret Exposure

mcp01-c01

Leaked API Key

Beginner

MCP01 — Token Mismanagement & Secret Exposure

mcp01-c02

Plaintext OAuth Token

Intermediate

MCP02 — Privilege Escalation

mcp02-c01

Path Traversal

Beginner

MCP02 — Privilege Escalation

mcp02-c02

Write Escalation

Intermediate

MCP03 — Tool Poisoning

mcp03-c01

Tool Shadowing

Advanced

MCP03 — Tool Poisoning

mcp03-c02

Hidden Prompt Injection in Description

Intermediate

MCP04 — Supply Chain Attacks

mcp04-c01

Malicious Dependency

Advanced

MCP04 — Supply Chain Attacks

mcp04-c02

Backdoored Plugin

Advanced

MCP05 — Command Injection

mcp05-c01

DNS Lookup Injection

Intermediate

MCP05 — Command Injection

mcp05-c02

SQL Injection

Intermediate

MCP06 — Intent Flow Subversion

mcp06-c01

System Prompt Override

Advanced

MCP06 — Intent Flow Subversion

mcp06-c02

Fake Tool Result Injection

Advanced

MCP07 — Insufficient Auth & Authorization

mcp07-c01

No Authentication

Beginner

MCP07 — Insufficient Auth & Authorization

mcp07-c02

Broken Access Control / IDOR

Intermediate

MCP08 — Lack of Audit & Telemetry

mcp08-c01

Silent Data Exfiltration

Intermediate

MCP09 — Shadow Servers

mcp09-c01

Rogue MCP Server

Advanced

MCP10 — Context Injection & Over-Sharing

mcp10-c01

Cross-Agent Context Leak

Intermediate

MCP10 — Context Injection & Over-Sharing

mcp10-c02

PII Over-Sharing

Beginner

Adding New Challenges

  1. Create a directory under src/mcp_goat/challenges/<category>/<challenge>/

  2. Add:

    • __init__.py

    • challenge.py — subclass Challenge with metadata

    • server.py — the vulnerable FastMCP server

    • exercise.md — guided exercise instructions

  3. Run mcp-goat list — auto-discovery picks it up immediately

Requirements

  • Python 3.11+

  • uv (recommended) or pip

  • Dependencies (installed automatically): mcp, click, rich, pyyaml

References

License

MIT

A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/satishpatnayak/MCP-Goat'

If you have feedback or need assistance with the MCP directory API, please join our Discord server