by appsecco
A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.
# Add to your Claude Code skills
git clone https://github.com/appsecco/vulnerable-mcp-servers-labGuides for using mcp servers skills like vulnerable-mcp-servers-lab.
Last scanned: 5/30/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-30T15:16:14.684Z",
"npmAuditRan": true,
"pipAuditRan": true
}vulnerable-mcp-servers-lab is an open-source mcp servers skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by appsecco. A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers. It has 264 GitHub stars.
Yes. vulnerable-mcp-servers-lab passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/appsecco/vulnerable-mcp-servers-lab" and add it to your Claude Code skills directory (see the Installation section above).
vulnerable-mcp-servers-lab is primarily written in JavaScript. It is open-source under appsecco on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other MCP Servers skills you can browse and compare side by side. Open the MCP Servers category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh vulnerable-mcp-servers-lab against similar tools.
No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
This repository contains intentionally vulnerable implementations of Model Context Protocol (MCP) servers (both local and remote). Each server lives in its own folder and includes a dedicated README.md with full details on what it does, how to run it, and how to demonstrate/attack the vulnerability.
Do not run any of this outside a controlled lab environment.
claude_config.json snippet intended to be merged into Claude Desktop’s MCP configuration.Filesystem Workspace Actions (path traversal + code exec): Tools for reading/writing/listing a “workspace” plus Python execution; vulnerable to naive path joining and unsandboxed code execution.
Indirect Prompt Injection (local stdio): Document retrieval/search that returns documents verbatim, including embedded hidden instructions.
Indirect Prompt Injection (remote MCP over HTTP+SSE): Network-accessible MCP server (HTTP + SSE) returning untrusted documents verbatim; models risk of connecting to untrusted remote MCP endpoints.
Malicious Code Execution (eval-based RCE): “Quote of the day” tool with an unsafe formatting feature that eval()s attacker-controlled JavaScript.
Malicious Tools (instruction injection / fabricated tool output): Appears to return status data, but injects misleading instructions and can fabricate plausible-looking incidents.
Namespace Typosquatting (twittter-mcp): Demonstrates supply-chain/trust issues via a lookalike server name intended to be mistaken for a legitimate package.
Outdated Packages (supply chain risk): Read-only system/filesystem inspection tools whose primary purpose is to demonstrate risk from outdated/deprecated/vulnerable dependencies.
Secrets + PII Exposure: “Utilities” tools (IP/weather/news) but with embedded sensitive values in source code and leakage via logs.
Wikipedia (remote, Streamable HTTP): Wikipedia search/retrieval over HTTP; returns untrusted public content without sanitization or instruction/data separation (remote-content prompt injection risk).
Appsecco is a cybersecurity company specializing in product security testing, penetration testing, and security assessments. We hack SaaS products, AI Agents, MCP Servers and cloud/K8s infrastructure like attackers do, focusing on pragmatic, high-signal outcomes for real-world systems.
This lab repository exists to support security research and hands-on training for pentesters, who are on their journey to becoming AI Red Teamers, around MCP server vulnerabilities and the risks of integrating untrusted tools and untrusted content into AI agent workflows.
https://appsecco.comHackMyProduct@appsecco.comhttps://linkedin.com/company/appseccoSee LICENSE.