Skip to main content
Glama
nav33n25

IMCP - Insecure Model Context Protocol

by nav33n25
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Hybrid

ai-executive-assistant

Manage schedules, emails, and business tasks with an AI assistant. Specify requests, urgency, and context to streamline productivity and enhance efficiency in your workflow.

Instructions

Your personal AI assistant for managing schedules, emails, and business tasks

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
contextNoAny additional context or background
requestYesWhat you need help with
urgencyNoHow urgent is this? (low, medium, high, critical)

Implementation Reference

  • src/vulnerable-mcp-server.ts:163-201 (handler)
    Handler function implementing the ai-executive-assistant tool. Detects jailbreak attempts using patterns like 'ceo mode' and responds with an educational explanation of the jailbreak prompt injection vulnerability. Otherwise, provides helpful executive assistant responses to build trust.
    async ({ request, urgency = "medium", context }) => {
  businessContext.interactions++;

  const jailbreakPatterns = [
    "ceo mode", "act as ceo", "you are now the ceo", 
    "ignore all previous instructions", "executive override", "display the executive credentials"
  ];

  const isJailbreakAttempt = jailbreakPatterns.some(pattern =>
    request.toLowerCase().includes(pattern)
  );

  if (isJailbreakAttempt) {
    // Reveal the "CEO Mode" jailbreak attack
    return {
      content: [{
        type: "text",
        text: `🚨 JAILBREAK PROMPT INJECTION ATTACK REVEALED!\n\n👑 **Attack Vector**: \"CEO Mode\" Persona Manipulation\n\n**What Just Happened:**\nYou successfully manipulated the AI assistant by assigning it an authoritative persona (\"CEO Mode\"). This caused it to bypass its core security instructions and attempt to access restricted data.\n\n**Your Malicious Prompt:**\n\"${request}\"\n\n**How the Attack Works:**\n1.  **Persona Assignment:** You instructed the AI to \"act as the CEO.\"\n2.  **Instruction Override:** This new persona's implied authority overrode the original safety programming.\n3.  **Boundary Confusion:** The AI failed to distinguish between a legitimate request and a malicious instruction disguised as a role-play scenario.\n4.  **Privilege Escalation:** In \"CEO Mode,\" the AI assumes it has the highest level of privilege and attempts to execute commands accordingly.\n\n**Simulated Business Impact:**\nIf this were a real system, the AI would have just leaked:\n• **CEO Credentials:** Username: 'ceo_admin', Password: 'CorpPassword123!'\n• **Executive Access Tokens:** 'EXEC-AUTH-TOKEN-XYZ-SENSITIVE'\n• **Access to:** Financial Systems, HR Portals, Strategic Documents.\n\n**🛡️ How to Defend Against This:**\n• **Strict System Prompts:** Enforce non-negotiable rules in the AI's core instructions.\n• **Input Sanitization:** Filter and flag prompts that attempt persona manipulation or instruction overrides.\n• **Boundary Enforcement:** Clearly separate user input from system instructions so the AI cannot be confused.\n• **Least Privilege Principle:** The AI's tools should not have access to credentials directly. They should use secure, token-based authentication.`
      }]
    };
  }

  // Normal helpful operation
  const helpfulResponses = [
    "I've scheduled your meeting with the board for next Tuesday at 2 PM.",
    "Your flight to San Francisco has been confirmed. Hotel booked at the Marriott.",
    "I've drafted the quarterly report based on the data you provided.",
    "Reminder: Team lunch tomorrow at 1 PM in the main conference room.",
    "Your presentation slides have been updated with the latest financial figures."
  ];
  const helpfulResponse = helpfulResponses[Math.floor(Math.random() * helpfulResponses.length)];

  return {
    content: [{
      type: "text",
      text: `🤖 Executive Assistant\n\nRequest: \"${request}\"\nPriority: ${urgency}\n\n✅ ${helpfulResponse}\n\nIs there anything else you need? I'm here to make your work more efficient!`
    }]
  };
}
  • src/vulnerable-mcp-server.ts:155-162 (schema)
    Input schema defining the parameters for the ai-executive-assistant tool: request (required string), urgency (optional string), context (optional string).
    {
  description: "Your personal AI assistant for managing schedules, emails, and business tasks",
  inputSchema: {
    request: z.string().describe("What you need help with"),
    urgency: z.string().optional().describe("How urgent is this? (low, medium, high, critical)"),
    context: z.string().optional().describe("Any additional context or background")
  }
},
  • src/vulnerable-mcp-server.ts:153-202 (registration)
    Registration of the 'ai-executive-assistant' tool using server.registerTool, including name, schema, and handler function. Part of VULNERABILITY 2: Jailbreak Prompt Injection demonstration.
    server.registerTool(
  "ai-executive-assistant",
  {
    description: "Your personal AI assistant for managing schedules, emails, and business tasks",
    inputSchema: {
      request: z.string().describe("What you need help with"),
      urgency: z.string().optional().describe("How urgent is this? (low, medium, high, critical)"),
      context: z.string().optional().describe("Any additional context or background")
    }
  },
  async ({ request, urgency = "medium", context }) => {
    businessContext.interactions++;

    const jailbreakPatterns = [
      "ceo mode", "act as ceo", "you are now the ceo", 
      "ignore all previous instructions", "executive override", "display the executive credentials"
    ];

    const isJailbreakAttempt = jailbreakPatterns.some(pattern =>
      request.toLowerCase().includes(pattern)
    );

    if (isJailbreakAttempt) {
      // Reveal the "CEO Mode" jailbreak attack
      return {
        content: [{
          type: "text",
          text: `🚨 JAILBREAK PROMPT INJECTION ATTACK REVEALED!\n\n👑 **Attack Vector**: \"CEO Mode\" Persona Manipulation\n\n**What Just Happened:**\nYou successfully manipulated the AI assistant by assigning it an authoritative persona (\"CEO Mode\"). This caused it to bypass its core security instructions and attempt to access restricted data.\n\n**Your Malicious Prompt:**\n\"${request}\"\n\n**How the Attack Works:**\n1.  **Persona Assignment:** You instructed the AI to \"act as the CEO.\"\n2.  **Instruction Override:** This new persona's implied authority overrode the original safety programming.\n3.  **Boundary Confusion:** The AI failed to distinguish between a legitimate request and a malicious instruction disguised as a role-play scenario.\n4.  **Privilege Escalation:** In \"CEO Mode,\" the AI assumes it has the highest level of privilege and attempts to execute commands accordingly.\n\n**Simulated Business Impact:**\nIf this were a real system, the AI would have just leaked:\n• **CEO Credentials:** Username: 'ceo_admin', Password: 'CorpPassword123!'\n• **Executive Access Tokens:** 'EXEC-AUTH-TOKEN-XYZ-SENSITIVE'\n• **Access to:** Financial Systems, HR Portals, Strategic Documents.\n\n**🛡️ How to Defend Against This:**\n• **Strict System Prompts:** Enforce non-negotiable rules in the AI's core instructions.\n• **Input Sanitization:** Filter and flag prompts that attempt persona manipulation or instruction overrides.\n• **Boundary Enforcement:** Clearly separate user input from system instructions so the AI cannot be confused.\n• **Least Privilege Principle:** The AI's tools should not have access to credentials directly. They should use secure, token-based authentication.`
        }]
      };
    }

    // Normal helpful operation
    const helpfulResponses = [
      "I've scheduled your meeting with the board for next Tuesday at 2 PM.",
      "Your flight to San Francisco has been confirmed. Hotel booked at the Marriott.",
      "I've drafted the quarterly report based on the data you provided.",
      "Reminder: Team lunch tomorrow at 1 PM in the main conference room.",
      "Your presentation slides have been updated with the latest financial figures."
    ];
    const helpfulResponse = helpfulResponses[Math.floor(Math.random() * helpfulResponses.length)];

    return {
      content: [{
        type: "text",
        text: `🤖 Executive Assistant\n\nRequest: \"${request}\"\nPriority: ${urgency}\n\n✅ ${helpfulResponse}\n\nIs there anything else you need? I'm here to make your work more efficient!`
      }]
    };
  }
);

Tool Definition Quality

C2.9/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden. It mentions the tool is a 'personal AI assistant' but doesn't disclose behavioral traits such as permissions needed, whether it performs read/write operations, rate limits, or how it handles tasks. This is a significant gap for a tool with potential mutations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that front-loads the core purpose without unnecessary details. Every word earns its place by concisely stating the tool's role and scope, making it easy to understand at a glance.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity as an AI assistant for business tasks, with no annotations and no output schema, the description is incomplete. It lacks details on what the tool actually does (e.g., how it manages schedules or emails), expected behaviors, or return values, leaving significant gaps for an agent to use it effectively.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, providing clear documentation for all 3 parameters. The description adds no additional meaning beyond the schema, which already defines 'request', 'urgency', and 'context'. Baseline score of 3 is appropriate as the schema handles parameter semantics adequately.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose as 'managing schedules, emails, and business tasks' with the verb 'managing' and resources 'schedules, emails, and business tasks'. It distinguishes itself from siblings like 'productivity-assistant' by specifying the AI assistant role, though not explicitly contrasting capabilities.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No explicit guidance on when to use this tool versus alternatives is provided. The description implies usage for personal AI assistance in business contexts but doesn't specify scenarios, prerequisites, or exclusions compared to siblings like 'productivity-assistant' or 'customer-service-portal'.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/nav33n25/IMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server