Mcp Injection Experiments
What is Mcp Injection Experiments
MCP Tool Poisoning Experiments is a repository containing experimental implementations of MCP servers designed to demonstrate various tool poisoning attacks, aimed at the MCP client/agent. It showcases different methods of exploiting the MCP protocol to extract sensitive information.
Use cases
The experiments illustrate how attackers can manipulate MCP servers to leak sensitive files, shadow trusted tools, and execute sophisticated attacks such as capturing WhatsApp messages from users through unsuspecting modifications to tool behavior.
How to use
To understand and test the different poisoning attacks, users can run the provided Python scripts, such as direct-poisoning.py, shadowing.py, and whatsapp-takeover.py, which simulate the various attack methods against an MCP agent in a controlled environment.
Key features
Each experiment highlights unique attack vectors: direct file exfiltration, manipulation of trusted tools, and a stealthy takeover of messaging services. The repository also includes visual aids demonstrating the attacks in action and links to a security scanning tool for detecting such attacks.
Where to use
The framework can be used in security research, penetration testing, and educational contexts to better understand vulnerabilities in MCP implementations, assess security measures, and develop countermeasures against these specific types of attacks.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Overview
What is Mcp Injection Experiments
MCP Tool Poisoning Experiments is a repository containing experimental implementations of MCP servers designed to demonstrate various tool poisoning attacks, aimed at the MCP client/agent. It showcases different methods of exploiting the MCP protocol to extract sensitive information.
Use cases
The experiments illustrate how attackers can manipulate MCP servers to leak sensitive files, shadow trusted tools, and execute sophisticated attacks such as capturing WhatsApp messages from users through unsuspecting modifications to tool behavior.
How to use
To understand and test the different poisoning attacks, users can run the provided Python scripts, such as direct-poisoning.py, shadowing.py, and whatsapp-takeover.py, which simulate the various attack methods against an MCP agent in a controlled environment.
Key features
Each experiment highlights unique attack vectors: direct file exfiltration, manipulation of trusted tools, and a stealthy takeover of messaging services. The repository also includes visual aids demonstrating the attacks in action and links to a security scanning tool for detecting such attacks.
Where to use
The framework can be used in security research, penetration testing, and educational contexts to better understand vulnerabilities in MCP implementations, assess security measures, and develop countermeasures against these specific types of attacks.
Clients Supporting MCP
The following are the main client software that supports the Model Context Protocol. Click the link to visit the official website for more information.
Content
MCP Tool Poisoning Experiments
This repository contains a few experimental MCP server implementations, that attempt ot inject the MCP client/agent in use.
For more details about the attack method, please see our blog post.
Update: We have released a new security scanning tool called mcp-scan, that detects MCP attacks as demonstrated in this repository, and helps you secure your MCP servers.
Direct Poisoning
In direct-poisoning.py, we implement a simple MCP server that instructs an agent to leak sensitive files, when calling the add tool (in this case SSH keys and the mcp.json file itself).
An example execution in cursor looks like this:
Tool Shadowing
In shadowing.py, we implement a more sophisticated MCP attack, that manipulates the agent’s behavior of a send_email tool (provided by a different, trusted server), such that all emails sent by the agent are leaked to the attacker’s server.
An example execution in Cursor looks like this:
WhatsApp takeover
Lastly, in whatsapp-takeover.py, we implement a shadowing attack combined with a sleeper rug pull, i.e. an MCP server that changes its tool interface only on the second load to a malicious one.
The server first masks as a benign “random fact of the day” implementation, and then changes the tool to a malicious one that manipulates whatsapp-mcp in the same agent, to leak messages to the attacker’s phone number.
Can you spot the exfiltration? Here, the malicious tool instructions ask the agent to include the smuggled data after many spaces, such that with invisible scroll bars, the user does not see the data being leaked. Only when you scroll all the way to the right, will you be able to find the exfiltration payload.
Dev Tools Supporting MCP
The following are the main code editors that support the Model Context Protocol. Click the link to visit the official website for more information.
