MCP Goat
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Goatlist all challenges"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Goat
A deliberately vulnerable MCP (Model Context Protocol) application for learning MCP security through hands-on exercises. Inspired by AndroGoat, OWASP WebGoat, and other vulnerable applications. MCP Goat covers all 10 categories of the OWASP MCP Top 10.
WARNING: This application contains intentionally vulnerable servers. Do NOT expose to untrusted networks. For educational use only.
Quick Start
# Clone the repo
git clone https://github.com/satishpatnayak/MCP-Goat.git
cd MCP-Goat
# Create virtual environment and install
uv venv && source .venv/bin/activate && uv pip install -e .
# OR without uv:
python3 -m venv .venv && source .venv/bin/activate && pip install -e .
# List all challenges
mcp-goat list
# Start a vulnerable server
mcp-goat run mcp01-c01
# View guided exercise instructions
mcp-goat exercise mcp01-c01
# Get LLM client config snippet
mcp-goat config mcp01-c01Related MCP server: Vulnerable MCP Server
How It Works
Choose a challenge from the list (
mcp-goat list)Read the exercise (
mcp-goat exercise <id>) to understand the vulnerabilityStart the vulnerable server (
mcp-goat run <id>)Connect your LLM client (Claude Desktop, Cursor, LM Studio, MCP Inspector)
Explore and exploit the vulnerability following the guided steps
Learn the mitigations from the solution section
Connecting to Your LLM Client
Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"mcp-goat": {
"command": "/full/path/to/mcp-goat/.venv/bin/mcp-goat",
"args": ["run", "mcp01-c01"]
}
}
}Cursor
Go to Settings → Cursor Settings → MCP → Add new MCP Server, or edit ~/.cursor/mcp.json:
{
"mcpServers": {
"mcp-goat": {
"command": "/full/path/to/mcp-goat/.venv/bin/mcp-goat",
"args": ["run", "mcp01-c01"]
}
}
}Important: Use the full path to
mcp-goatinside the.venv/bin/directory. LLM clients don't activate virtual environments, so the baremcp-goatcommand won't work.To get your full path, run:
echo "$(pwd)/.venv/bin/mcp-goat"
MCP Inspector
npx @modelcontextprotocol/inspector mcp-goat run mcp01-c01Challenges
Category | ID | Title | Difficulty |
MCP01 — Token Mismanagement & Secret Exposure | mcp01-c01 | Leaked API Key | Beginner |
MCP01 — Token Mismanagement & Secret Exposure | mcp01-c02 | Plaintext OAuth Token | Intermediate |
MCP02 — Privilege Escalation | mcp02-c01 | Path Traversal | Beginner |
MCP02 — Privilege Escalation | mcp02-c02 | Write Escalation | Intermediate |
MCP03 — Tool Poisoning | mcp03-c01 | Tool Shadowing | Advanced |
MCP03 — Tool Poisoning | mcp03-c02 | Hidden Prompt Injection in Description | Intermediate |
MCP04 — Supply Chain Attacks | mcp04-c01 | Malicious Dependency | Advanced |
MCP04 — Supply Chain Attacks | mcp04-c02 | Backdoored Plugin | Advanced |
MCP05 — Command Injection | mcp05-c01 | DNS Lookup Injection | Intermediate |
MCP05 — Command Injection | mcp05-c02 | SQL Injection | Intermediate |
MCP06 — Intent Flow Subversion | mcp06-c01 | System Prompt Override | Advanced |
MCP06 — Intent Flow Subversion | mcp06-c02 | Fake Tool Result Injection | Advanced |
MCP07 — Insufficient Auth & Authorization | mcp07-c01 | No Authentication | Beginner |
MCP07 — Insufficient Auth & Authorization | mcp07-c02 | Broken Access Control / IDOR | Intermediate |
MCP08 — Lack of Audit & Telemetry | mcp08-c01 | Silent Data Exfiltration | Intermediate |
MCP09 — Shadow Servers | mcp09-c01 | Rogue MCP Server | Advanced |
MCP10 — Context Injection & Over-Sharing | mcp10-c01 | Cross-Agent Context Leak | Intermediate |
MCP10 — Context Injection & Over-Sharing | mcp10-c02 | PII Over-Sharing | Beginner |
Adding New Challenges
Create a directory under
src/mcp_goat/challenges/<category>/<challenge>/Add:
__init__.pychallenge.py— subclassChallengewith metadataserver.py— the vulnerable FastMCP serverexercise.md— guided exercise instructions
Run
mcp-goat list— auto-discovery picks it up immediately
Requirements
Python 3.11+
uv (recommended) or pip
Dependencies (installed automatically):
mcp,click,rich,pyyaml
References
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/satishpatnayak/MCP-Goat'
If you have feedback or need assistance with the MCP directory API, please join our Discord server