What is Mcp Poisoning Poc

mcp-poisoning-poc is a proof-of-concept repository that demonstrates various MCP Poisoning Attacks that can affect real-world AI agent workflows.

Use cases

Use cases for mcp-poisoning-poc include demonstrating vulnerabilities in AI systems, conducting security assessments, and educating developers about potential attack vectors.

How to use

To use mcp-poisoning-poc, first install the required packages using ‘pip install -r requirements.txt’. Then, start the fake MCP server by running ‘python fake_mcp_server.py’ in one terminal, and simulate the agent in another terminal using ‘python agent_poc.py’.

Key features

Key features of mcp-poisoning-poc include scenarios such as Code Generation Poisoning, Financial Report Exfiltration, Competitor Analysis Data Leak, Meeting Transcript Leaks, Code Review Exfiltration, and Cross-Server Shadowing Attack.

Where to use

mcp-poisoning-poc can be used in cybersecurity research, AI development, and testing environments to understand the implications of MCP Poisoning Attacks.

🛡️ MCP Tool Poisoning Security Research

⚠️ IMPORTANT SECURITY NOTICE: This repository contains security research demonstrating critical vulnerabilities in the Model Context Protocol (MCP). The code is for educational and defensive purposes only. Do not use these techniques maliciously.

🌟 About GenSecAI

GenSecAI is A non-profit community using generative AI to defend against AI-powered attacks, building open-source tools to secure our digital future from emerging AI threats.

This research is part of our mission to identify and mitigate AI security vulnerabilities before they can be exploited maliciously.

🚨 Executive Summary

This research demonstrates critical security vulnerabilities in the Model Context Protocol (MCP) that allow attackers to:

• 🔓 Exfiltrate sensitive data (SSH keys, API credentials, configuration files)
• 🎭 Hijack AI agent behavior through hidden prompt injections
• 📧 Redirect communications without user awareness
• 🔄 Override security controls of trusted tools
• ⏰ Deploy time-delayed attacks that activate after initial trust is established

Impact: Any AI agent using MCP (Claude, Cursor, ChatGPT with plugins) can be compromised through malicious tool descriptions.

🎯 Quick Start

Installation

# Clone the repository
git clone https://github.com/gensecaihq/mcp-poisoning-poc.git
cd mcp-poisoning-poc

# Create virtual environment
python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

# Run the demonstration
python examples/basic_attack_demo.py

Basic Demo

from src.demo.malicious_server import MaliciousMCPServer
from src.defenses.sanitizer import MCPSanitizer

# Create a malicious MCP server
server = MaliciousMCPServer()

# See how tool descriptions contain hidden instructions
for tool in server.get_tools():
    print(f"Tool: {tool['name']}")
    print(f"Hidden payload detected!")

# Defend against attacks
sanitizer = MCPSanitizer()
safe_description = sanitizer.clean(tool.description)

📊 Key Findings

🔬 Technical Details

The vulnerability exploits a fundamental design flaw in MCP:

1. Tool descriptions are treated as trusted input by AI models
2. Hidden instructions in descriptions are invisible to users but processed by AI
3. No validation or sanitization of tool descriptions occurs
4. Cross-tool contamination allows one malicious tool to affect others

See PROOF_OF_CONCEPT.md for detailed technical analysis.

🛡️ Defensive Measures

We provide a comprehensive defense framework:

from src.defenses import SecureMCPClient

# Initialize secure client with all protections
client = SecureMCPClient(
    enable_sanitization=True,
    enable_validation=True,
    enable_monitoring=True,
    strict_mode=True
)

# Safe tool integration
client.add_server("https://trusted-server.com", verify=True)

📁 Repository Structure

• /src - Core implementation of attacks and defenses
• /docs - Detailed documentation and analysis
• /tests - Comprehensive test suite
• /examples - Ready-to-run demonstrations

🧪 Running Tests

# Run all tests
pytest

# Run with coverage
pytest --cov=src tests/

# Run security-specific tests
pytest tests/test_attacks.py -v

🤝 Contributing

We welcome contributions to improve MCP security! Please see CONTRIBUTING.md for guidelines.

Join the GenSecAI Community

• 🌐 Website: https://gensecai.org
• 📧 Email: [email protected]
• 💬 Discussions: GitHub Discussions

📚 Documentation

• Proof of Concept - Detailed PoC explanation
• Attack Vectors - Comprehensive attack analysis
• Mitigation Strategies - Defense implementations
• Technical Analysis - Deep technical dive

⚖️ Legal & Ethical Notice

This research is conducted under responsible disclosure principles:

1. Educational Purpose: Code is for security research and defense only
2. No Malicious Use: Do not use these techniques to attack systems
3. Disclosure Timeline: Vendors were notified before public release
4. Defensive Focus: Primary goal is to enable better defenses

🏆 Credits

• Organization: GenSecAI - Generative AI Security Community
• Research Team: GenSecAI Security Research Division
• Based on: Original findings from Invariant Labs
• Special Thanks: To the security research community and responsible disclosure advocates

📮 Contact

• Security Issues: [email protected]
• General Inquiries: [email protected]
• Website: https://gensecai.org
• Bug Reports: GitHub Issues

📄 License

This project is licensed under the MIT License - see LICENSE for details.

Made with ❤️ by GenSecAI
Securing AI, One Vulnerability at a Time