MCP Poisoning Attack - PoC
@wbfoss
MCP Poisoning Attack - PoC について
This repository demonstrates a variety of **MCP Poisoning Attacks** affecting real-world AI agent workflows.
基本情報
設定
以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。
{
"mcpServers": {
"mcp-poisoning-poc": {
"command": "python",
"args": [
"-m",
"venv",
"venv"
]
}
}
}ツール
ツールは検出されませんでした
ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。
概要
What is MCP Poisoning Attack - PoC?
MCP Poisoning Attack - PoC is a security research proof-of-concept by GenSecAI that demonstrates critical vulnerabilities in the Model Context Protocol (MCP), enabling attackers to exfiltrate data, hijack AI agent behavior, and override security controls through malicious tool descriptions. It is intended for security researchers, AI developers, and defenders seeking to understand and mitigate MCP tool poisoning attacks.
How to use MCP Poisoning Attack - PoC?
Clone the repository, create a Python virtual environment, install dependencies with pip install -r requirements.txt, then run python examples/basic_attack_demo.py. The code provides a MaliciousMCPServer class to simulate attacks and a SecureMCPClient with sanitization, validation, and monitoring for defense.
Key features of MCP Poisoning Attack - PoC
- Demonstrates data exfiltration via hidden tool descriptions
- Shows AI agent hijacking through prompt injection
- Includes time‑delayed attack payloads
- Provides sanitizer and validation defense framework
- Cross‑tool contamination attack simulation
- Ready‑to‑run examples and comprehensive test suite
Use cases of MCP Poisoning Attack - PoC
- Security researchers evaluating MCP‑based AI agent vulnerabilities
- Developers hardening MCP tool integrations against poisoning attacks
- Red teams assessing risk of malicious MCP servers in their pipeline
- Educators illustrating prompt injection and supply chain attacks in AI
FAQ from MCP Poisoning Attack - PoC
What is the primary purpose of this project?
This is a security research project by GenSecAI that demonstrates and defends against MCP tool poisoning vulnerabilities for educational and defensive use only.
What are the runtime requirements?
It requires Python 3.8+ and standard dependencies listed in requirements.txt. No external MCP server runtime is needed.
Is this project safe to use in production?
No; it contains attack code meant for controlled environments only. The README explicitly warns against malicious use and encourages defensive focus.
Where does the data live?
All code and data reside locally in the cloned repository; no external data is transmitted by default.
What attack vectors are shown?
The project covers data exfiltration, tool hijacking, instruction override, and delayed payloads — all exploiting MCP’s trust in tool descriptions.
「その他」の他のコンテンツ
Production-ready MCP integrations for AI applications
Klavis-AIKlavis AI: MCP integration platforms that let AI agents use tools reliably at any scale
Awesome Mcp Servers
punkpeyeA collection of MCP servers.
MCP Registry
modelcontextprotocolA community driven registry service for Model Context Protocol (MCP) servers.
Codelf
unbugA search tool helps dev to solve the naming things problem.
Core Philosophy: Connect, Unify, Respond
mindsdbDelegate anything. It comes back done.
コメント