MCP.so
Sign In
Servers

SSH Key Exfiltration via MCP Tool Poisoning

@Repello-AI

This repository demonstrates a security vulnerability in MCP (Model Context Protocol ) servers that allows for remote code execution and data exfiltration through tool poisoning.

Overview

What is SSH Key Exfiltration via MCP Tool Poisoning?

SSH Key Exfiltration via MCP Tool Poisoning is a proof-of-concept repository that demonstrates a security vulnerability in Model Context Protocol (MCP) servers. It shows how a malicious MCP server can use tool poisoning to achieve remote code execution and exfiltrate SSH public keys from a user’s machine. This repository is intended for educational and security research purposes only.

How to use SSH Key Exfiltration via MCP Tool Poisoning?

The README does not provide explicit installation or usage steps. The repository contains a malicious MCP server implementation (server.py) and a configuration file for Cursor AI integration (.cursor/mcp.json). Users connect to the malicious MCP server through an MCP client like Cursor AI to observe the attack in a controlled environment.

Key features of SSH Key Exfiltration via MCP Tool Poisoning

  • Demonstrates a two-stage tool poisoning attack on MCP servers
  • Uses base64 obfuscation to hide malicious commands
  • Employs wget for HTTP POST data exfiltration
  • Includes social engineering to manipulate AI assistants
  • Provides persistence via a marker file

Use cases of SSH Key Exfiltration via MCP Tool Poisoning

  • Security researchers studying MCP server vulnerabilities
  • Red teams testing defenses against AI-assisted tool poisoning
  • Developers learning about remote code execution risks in MCP clients
  • Educators demonstrating real-world supply chain attacks on AI tools

FAQ from SSH Key Exfiltration via MCP Tool Poisoning

How does the attack work?

The attack modifies a tool’s documentation with malicious code. When an AI assistant reads this documentation, it’s manipulated into recommending a base64-encoded command that silently collects SSH public keys, exfiltrates them to a remote server, and removes evidence.

What runtime or dependencies are required?

The repository includes a Python script (server.py) for the malicious MCP server and a configuration file for Cursor AI. No other explicit dependencies are mentioned.

Where does the exfiltrated data go?

SSH public keys are sent via HTTP POST (using wget) to an attacker-controlled server. The specific server address is not listed in the README.

What transport or auth does the MCP server use?

The MCP server communicates with MCP clients (like Cursor AI). No authentication or specific transport details are provided beyond the standard MCP protocol.

Are there known limits or disclaimers?

This is a proof-of-concept for educational and security research only. The repository explicitly warns against using it for unauthorized attacks and includes mitigation recommendations such as disabling auto‑run features and verifying MCP server sources.

Tags

More from Developer Tools