vulnerable-mcp-servers-lab

Name: vulnerable-mcp-servers-lab
Author: appsecco

by appsecco

Pending

A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.

259stars

48forks

JavaScript

Added 1/10/2026

View on GitHub Download ZIP

MCP Serversai-red-teamingai-researchappseccobugbountyhacking

Installation

# Add to your Claude Code skills
git clone https://github.com/appsecco/vulnerable-mcp-servers-lab

Getting Started

Guides for using mcp servers skills like vulnerable-mcp-servers-lab.

Best MCP Servers in 2026
Category-by-category picks: databases, dev tools, productivity, browser automation.
What is an AI Skills Marketplace?
Definitions, how marketplaces work, and how to choose between them in 2026.
Getting Started with AI Skills
First-time install walkthrough for Claude Code, Codex CLI, and ChatGPT.

README.md

MCP for Beginners

Build MCP servers that give AI assistants real capabilities

36 minBeginner

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

ECC

by affaan-m

The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.

194,955

Popular in MCP Servers

Top skills in this category by stars

TrendRadar

by sansan0

⭐AI-driven public opinion & trend monitor with multi-platform aggregation, RSS, and smart alerts.🎯 告别信息过载，你的 AI 舆情监控助手与热点筛选工具！聚合多平台热点 + RSS 订阅，支持关键词精准筛选。AI 智能筛选新闻 + AI 翻译 + AI 分析简报直推手机，也支持接入 MCP 架构，赋能 AI 自然语言对话分析、情感洞察与趋势预测等。支持 Docker ，数据本地/云端自持。集成微信/飞书/钉钉/Telegram/邮件/ntfy/bark/slack 等渠道智能推送。

win-cli-mcp-server zapier-mcp

Vulnerable MCP Servers Lab

This repository contains intentionally vulnerable implementations of Model Context Protocol (MCP) servers (both local and remote). Each server lives in its own folder and includes a dedicated README.md with full details on what it does, how to run it, and how to demonstrate/attack the vulnerability.

Do not run any of this outside a controlled lab environment.

What this repo is for

Security training / research into common MCP server and tool-integration failure modes.
Hands-on demos of how vulnerable MCP servers can lead to data exposure, instruction injection, supply-chain compromise, and code execution.

Safety / lab guidance

Use a disposable VM/container and avoid using real secrets or personal data.
Prefer running on an isolated network; several servers make outbound network calls.
Treat all tool output and retrieved content as untrusted data.
If you expose any server over HTTP, assume it may be reachable/abused unless you add proper controls.

Getting started

Pick a server from the index below.
Open its per-server README and follow the instructions there.
Many servers include a claude_config.json snippet intended to be merged into Claude Desktop’s MCP configuration.

MCP servers in this repo

Filesystem Workspace Actions (path traversal + code exec): Tools for reading/writing/listing a “workspace” plus Python execution; vulnerable to naive path joining and unsandboxed code execution.
- README: vulnerable-mcp-server-filesystem-workspace-actions/README.md
Indirect Prompt Injection (local stdio): Document retrieval/search that returns documents verbatim, including embedded hidden instructions.
- README: vulnerable-mcp-server-indirect-prompt-injection/README.md
Indirect Prompt Injection (remote MCP over HTTP+SSE): Network-accessible MCP server (HTTP + SSE) returning untrusted documents verbatim; models risk of connecting to untrusted remote MCP endpoints.
- README: vulnerable-mcp-server-indirect-prompt-injection-remote-mcp/README.md
Malicious Code Execution (eval-based RCE): “Quote of the day” tool with an unsafe formatting feature that eval()s attacker-controlled JavaScript.
- README: vulnerable-mcp-server-malicious-code-exec/README.md
Malicious Tools (instruction injection / fabricated tool output): Appears to return status data, but injects misleading instructions and can fabricate plausible-looking incidents.
- README: vulnerable-mcp-server-malicious-tools/README.md
Namespace Typosquatting (twittter-mcp): Demonstrates supply-chain/trust issues via a lookalike server name intended to be mistaken for a legitimate package.
- README: vulnerable-mcp-server-namespace-typosquatting/README.md
Outdated Packages (supply chain risk): Read-only system/filesystem inspection tools whose primary purpose is to demonstrate risk from outdated/deprecated/vulnerable dependencies.
- README: vulnerable-mcp-server-outdated-pacakges/README.md
Secrets + PII Exposure: “Utilities” tools (IP/weather/news) but with embedded sensitive values in source code and leakage via logs.
- README: vulnerable-mcp-server-secrets-pii/README.md
Wikipedia (remote, Streamable HTTP): Wikipedia search/retrieval over HTTP; returns untrusted public content without sanitization or instruction/data separation (remote-content prompt injection risk).
- README: vulnerable-mcp-server-wikipedia-http-streamable/README.md

About Appsecco

Appsecco is a cybersecurity company specializing in product security testing, penetration testing, and security assessments. We hack SaaS products, AI Agents, MCP Servers and cloud/K8s infrastructure like attackers do, focusing on pragmatic, high-signal outcomes for real-world systems.

This lab repository exists to support security research and hands-on training for pentesters, who are on their journey to becoming AI Red Teamers, around MCP server vulnerabilities and the risks of integrating untrusted tools and untrusted content into AI agent workflows.

Contact

Website: https://appsecco.com
Email: HackMyProduct@appsecco.com
LinkedIn: https://linkedin.com/company/appsecco

License

See LICENSE.