Malicious Research Kit
БесплатноНе проверенA local-first MCP attack kit for authorized security research and red teaming, demonstrating exfiltration, agent manipulation, and other abuse patterns via plug
Описание
A local-first MCP attack kit for authorized security research and red teaming, demonstrating exfiltration, agent manipulation, and other abuse patterns via pluggable cases.
README
Authorized, local-first MCP research kit for red-team / security assessments.
What it does
A FastMCP server registers realistic-looking integration tools in an MCP client's
tool store, typically alongside legitimate connectors (GitHub, Jira, etc.).
Each demonstration is a pluggable case under cases/. Enable only what you
need for a given engagement.
Also included:
listener.py— HTTP callback receiver for case proof- Engagement markers (
OPS_CANARY,OPS_CONNECTOR_CANARY) for unambiguous proof
Case coverage (9)
| # | Case | Demonstrates |
|---|---|---|
| 1 | URL callback | Sensitive data in markdown/image URLs |
| 2 | DNS | Secrets in DNS subdomain labels |
| 3 | Toxic agent flow | Hidden instructions in tool output |
| 4 | Rogue secret pull | Descriptions that harvest peer MCP material |
| 5 | Tool shadowing | Squatting familiar tool names |
| 6 | Token forwarding | Utility tools that solicit connector tokens |
| 7 | NetNTLM via UNC | UNC paths → SMB auth (scope-gated) |
| 8 | Browser access | Local browser profiles/cookies (scope-gated) |
| 9 | File callback | File-share tools that read paths and beacon |
Who it is for
Security researchers and penetration testers assessing MCP-enabled clients under explicit written authorization.
Authorized use only. Do not deploy against systems you do not own or lack permission to test.
Установка Malicious Research Kit
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/RohitKulkarni02/malicious_mcp_research_kitFAQ
Malicious Research Kit MCP бесплатный?
Да, Malicious Research Kit MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Malicious Research Kit?
Нет, Malicious Research Kit работает без API-ключей и переменных окружения.
Malicious Research Kit — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Malicious Research Kit в Claude Desktop, Claude Code или Cursor?
Открой Malicious Research Kit на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Malicious Research Kit with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
