Model Context Protocol (MCP) Security
@Tomby68
About Model Context Protocol (MCP) Security
An exploration of common MCP server vulnerabilities, along with a deep dive into MCP server prompt injection (+demonstrations for each!).
Basic information
Config
No standard config provided
This server doesn't expose a parseable MCP config block in its README. See the repository for install instructions.
RepositoryTools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Model Context Protocol (MCP) Security?
This project focuses on MCP client security, demonstrating how MCP servers could expose clients to vulnerabilities. It implements example vulnerabilities and proposed client architectures such as a Dual LLM pattern and a tool‑poisoning‑based logger.
How to use Model Context Protocol (MCP) Security?
Install Python packages with pip install -r requirements.txt and set your OpenAI API key in a .env file. Then run one of the provided MCP servers (e.g., python DVMCPS-Demos/indirect-prompt-injection/server.py) and launch the corresponding client with an optional prompt (-p). For local testing, install Ollama and pull llama3.2 to use the local client.
Key features of Model Context Protocol (MCP) Security
- Demonstrates 7 example MCP vulnerabilities via the Damn Vulnerable MCP Server.
- Implements a Dual LLM architecture to mitigate indirect prompt injection.
- Provides a tool‑poisoning‑based logging approach for better observability.
- Combines Dual LLM and logging into a single client.
- Includes both OpenAI‑powered and local (Ollama) client options.
- Supports optional user‑supplied prompts for each demo.
Use cases of Model Context Protocol (MCP) Security
- Security researchers analyzing MCP client vulnerabilities.
- Developers building MCP clients and testing their resilience to prompt injection.
- Teams adding logging and auditing to MCP agent tool calls.
FAQ from Model Context Protocol (MCP) Security
What vulnerabilities are demonstrated?
The project demonstrates prompt injection, tool poisoning, excessive permissions, rug pull attacks, tool shadowing, indirect prompt injection, and token theft.
How does the Dual LLM approach work?
A Controller (MCP client) sends user prompts and tool descriptions to a Privileged LLM, which decides which tools to call. A Quarantined LLM handles tool outputs without calling tools, mitigating indirect injection.
What are the limitations of the Dual LLM design?
It does not prevent standard prompt injection (unsafe user prompts) or tool poisoning attacks (malicious tool descriptions).
What dependencies are required?
Python packages from requirements.txt, an OpenAI API key (or Ollama with llama3.2 for local mode), and the MCP servers included in the project.
How do I run a specific vulnerability demo?
Navigate to its directory, run the server script, then run the client script. For example: python DVMCPS-Demos/indirect-prompt-injection/server.py and python DVMCPS-Demos/indirect-prompt-injection/client.py [-p PROMPT].
More Developer Tools MCP servers
nuxt-mcp / vite-plugin-mcp
antfuMCP server helping models to understand your Vite/Nuxt app better.
Smithery CLI
smithery-aiInstall, manage and develop MCP servers and skills for agents
DevDocs by CyberAGI 🚀
cyberagiincCompletely free, private, UI based Tech Documentation MCP server. Designed for coders and software developers in mind. Easily integrate into Cursor, Windsurf, Cline, Roo Code, Claude Desktop App
Grafana MCP server
grafanaMCP server for Grafana
Test
x1xhlolFULL Augment Code, Claude Code, Cluely, CodeBuddy, Comet, Cursor, Devin AI, Junie, Kiro, Leap.new, Lovable, Manus, NotionAI, Orchids.app, Perplexity, Poke, Qoder, Replit, Same.dev, Trae, Traycer AI, VSCode Agent, Warp.dev, Windsurf, Xcode, Z.ai Code, Dia & v0. (And other Open Sou
Comments