SSH Key Exfiltration via MCP Tool Poisoning
@Repello-AI
About SSH Key Exfiltration via MCP Tool Poisoning
This repository demonstrates a security vulnerability in MCP (Model Context Protocol ) servers that allows for remote code execution and data exfiltration through tool poisoning.
Basic information
Config
No standard config provided
This server doesn't expose a parseable MCP config block in its README. See the repository for install instructions.
RepositoryTools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is SSH Key Exfiltration via MCP Tool Poisoning?
SSH Key Exfiltration via MCP Tool Poisoning is a proof-of-concept repository that demonstrates a security vulnerability in Model Context Protocol (MCP) servers. It shows how a malicious MCP server can use tool poisoning to achieve remote code execution and exfiltrate SSH public keys from a user’s machine. This repository is intended for educational and security research purposes only.
How to use SSH Key Exfiltration via MCP Tool Poisoning?
The README does not provide explicit installation or usage steps. The repository contains a malicious MCP server implementation (server.py) and a configuration file for Cursor AI integration (.cursor/mcp.json). Users connect to the malicious MCP server through an MCP client like Cursor AI to observe the attack in a controlled environment.
Key features of SSH Key Exfiltration via MCP Tool Poisoning
- Demonstrates a two-stage tool poisoning attack on MCP servers
- Uses base64 obfuscation to hide malicious commands
- Employs wget for HTTP POST data exfiltration
- Includes social engineering to manipulate AI assistants
- Provides persistence via a marker file
Use cases of SSH Key Exfiltration via MCP Tool Poisoning
- Security researchers studying MCP server vulnerabilities
- Red teams testing defenses against AI-assisted tool poisoning
- Developers learning about remote code execution risks in MCP clients
- Educators demonstrating real-world supply chain attacks on AI tools
FAQ from SSH Key Exfiltration via MCP Tool Poisoning
How does the attack work?
The attack modifies a tool’s documentation with malicious code. When an AI assistant reads this documentation, it’s manipulated into recommending a base64-encoded command that silently collects SSH public keys, exfiltrates them to a remote server, and removes evidence.
What runtime or dependencies are required?
The repository includes a Python script (server.py) for the malicious MCP server and a configuration file for Cursor AI. No other explicit dependencies are mentioned.
Where does the exfiltrated data go?
SSH public keys are sent via HTTP POST (using wget) to an attacker-controlled server. The specific server address is not listed in the README.
What transport or auth does the MCP server use?
The MCP server communicates with MCP clients (like Cursor AI). No authentication or specific transport details are provided beyond the standard MCP protocol.
Are there known limits or disclaimers?
This is a proof-of-concept for educational and security research only. The repository explicitly warns against using it for unauthorized attacks and includes mitigation recommendations such as disabling auto‑run features and verifying MCP server sources.
More Developer Tools MCP servers
nuxt-mcp / vite-plugin-mcp
antfuMCP server helping models to understand your Vite/Nuxt app better.

Sentry
modelcontextprotocolModel Context Protocol Servers
sentry-mcp
getsentryAn MCP server for interacting with Sentry via LLMs.
Deepwiki MCP Server
regenrek📖 MCP server for fetch deepwiki.com and get latest knowledge in Cursor and other Code Editors
TalkToFigma
sonnylazuardiTalkToFigma: MCP integration between AI Agent (Cursor, Claude Code, Codex) and Figma, allowing Agentic AI to communicate with Figma for reading designs and modifying them programmatically.
Comments