MCP.so
登录

Model Context Protocol (MCP) Security

@Tomby68

关于 Model Context Protocol (MCP) Security

An exploration of common MCP server vulnerabilities, along with a deep dive into MCP server prompt injection (+demonstrations for each!).

基本信息

分类

开发工具

许可证

MIT license

运行时

python

传输方式

stdio

发布者

Tomby68

配置

暂无标准配置

该服务器的 README 中没有可解析的 MCP 配置块,请前往代码仓库查看安装说明。

代码仓库

工具

未检测到工具

工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。

概览

What is Model Context Protocol (MCP) Security?

This project focuses on MCP client security, demonstrating how MCP servers could expose clients to vulnerabilities. It implements example vulnerabilities and proposed client architectures such as a Dual LLM pattern and a tool‑poisoning‑based logger.

How to use Model Context Protocol (MCP) Security?

Install Python packages with pip install -r requirements.txt and set your OpenAI API key in a .env file. Then run one of the provided MCP servers (e.g., python DVMCPS-Demos/indirect-prompt-injection/server.py) and launch the corresponding client with an optional prompt (-p). For local testing, install Ollama and pull llama3.2 to use the local client.

Key features of Model Context Protocol (MCP) Security

  • Demonstrates 7 example MCP vulnerabilities via the Damn Vulnerable MCP Server.
  • Implements a Dual LLM architecture to mitigate indirect prompt injection.
  • Provides a tool‑poisoning‑based logging approach for better observability.
  • Combines Dual LLM and logging into a single client.
  • Includes both OpenAI‑powered and local (Ollama) client options.
  • Supports optional user‑supplied prompts for each demo.

Use cases of Model Context Protocol (MCP) Security

  • Security researchers analyzing MCP client vulnerabilities.
  • Developers building MCP clients and testing their resilience to prompt injection.
  • Teams adding logging and auditing to MCP agent tool calls.

FAQ from Model Context Protocol (MCP) Security

What vulnerabilities are demonstrated?

The project demonstrates prompt injection, tool poisoning, excessive permissions, rug pull attacks, tool shadowing, indirect prompt injection, and token theft.

How does the Dual LLM approach work?

A Controller (MCP client) sends user prompts and tool descriptions to a Privileged LLM, which decides which tools to call. A Quarantined LLM handles tool outputs without calling tools, mitigating indirect injection.

What are the limitations of the Dual LLM design?

It does not prevent standard prompt injection (unsafe user prompts) or tool poisoning attacks (malicious tool descriptions).

What dependencies are required?

Python packages from requirements.txt, an OpenAI API key (or Ollama with llama3.2 for local mode), and the MCP servers included in the project.

How do I run a specific vulnerability demo?

Navigate to its directory, run the server script, then run the client script. For example: python DVMCPS-Demos/indirect-prompt-injection/server.py and python DVMCPS-Demos/indirect-prompt-injection/client.py [-p PROMPT].

评论

开发工具 分类下的更多 MCP 服务器