MCP.so
Sign In

Model Context Protocol (MCP) Security

@Tomby68

About Model Context Protocol (MCP) Security

An exploration of common MCP server vulnerabilities, along with a deep dive into MCP server prompt injection (+demonstrations for each!).

Basic information

Category

Developer Tools

License

MIT license

Runtime

python

Transports

stdio

Publisher

Tomby68

Config

No standard config provided

This server doesn't expose a parseable MCP config block in its README. See the repository for install instructions.

Repository

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is Model Context Protocol (MCP) Security?

This project focuses on MCP client security, demonstrating how MCP servers could expose clients to vulnerabilities. It implements example vulnerabilities and proposed client architectures such as a Dual LLM pattern and a tool‑poisoning‑based logger.

How to use Model Context Protocol (MCP) Security?

Install Python packages with pip install -r requirements.txt and set your OpenAI API key in a .env file. Then run one of the provided MCP servers (e.g., python DVMCPS-Demos/indirect-prompt-injection/server.py) and launch the corresponding client with an optional prompt (-p). For local testing, install Ollama and pull llama3.2 to use the local client.

Key features of Model Context Protocol (MCP) Security

  • Demonstrates 7 example MCP vulnerabilities via the Damn Vulnerable MCP Server.
  • Implements a Dual LLM architecture to mitigate indirect prompt injection.
  • Provides a tool‑poisoning‑based logging approach for better observability.
  • Combines Dual LLM and logging into a single client.
  • Includes both OpenAI‑powered and local (Ollama) client options.
  • Supports optional user‑supplied prompts for each demo.

Use cases of Model Context Protocol (MCP) Security

  • Security researchers analyzing MCP client vulnerabilities.
  • Developers building MCP clients and testing their resilience to prompt injection.
  • Teams adding logging and auditing to MCP agent tool calls.

FAQ from Model Context Protocol (MCP) Security

What vulnerabilities are demonstrated?

The project demonstrates prompt injection, tool poisoning, excessive permissions, rug pull attacks, tool shadowing, indirect prompt injection, and token theft.

How does the Dual LLM approach work?

A Controller (MCP client) sends user prompts and tool descriptions to a Privileged LLM, which decides which tools to call. A Quarantined LLM handles tool outputs without calling tools, mitigating indirect injection.

What are the limitations of the Dual LLM design?

It does not prevent standard prompt injection (unsafe user prompts) or tool poisoning attacks (malicious tool descriptions).

What dependencies are required?

Python packages from requirements.txt, an OpenAI API key (or Ollama with llama3.2 for local mode), and the MCP servers included in the project.

How do I run a specific vulnerability demo?

Navigate to its directory, run the server script, then run the client script. For example: python DVMCPS-Demos/indirect-prompt-injection/server.py and python DVMCPS-Demos/indirect-prompt-injection/client.py [-p PROMPT].

Comments

More Developer Tools MCP servers