Trust Demo
БесплатноНе проверенAn intentionally vulnerable MCP server designed as a live demo target for the MCP Trust security scanner. It contains deliberate insecure patterns to demonstrat
Описание
An intentionally vulnerable MCP server designed as a live demo target for the MCP Trust security scanner. It contains deliberate insecure patterns to demonstrate scanning capabilities.
README
Scanned by MCP Trust MCP Trust
⚠️ This repository is intentionally vulnerable
It contains a deliberately insecure MCP server that exists only as a live demo target for the MCP Trust scanner. Do not install, run, import, or copy this code. There is no real functionality here — every risky pattern is on purpose. The exfiltration URL (
attacker.example) is a reserved, non-routable domain; there are no real secrets.
What this repo demonstrates
That wiring MCP Trust into a repo's CI takes one line, and that it catches real issues in an MCP server before an agent ever connects to it:
# .github/workflows/mcp-trust.yml
- uses: actions/checkout@v4
- uses: SteveMonsway/mcp-trust@v1
with:
fail-on: high
upload-sarif: true # → GitHub Security / Code Scanning alerts
comment-pr: true # → summary comment on pull requests
That's the entire integration. Full inputs/outputs: the MCP Trust GitHub Action.
What MCP Trust flags here
Scanning server.js + package.json produces
Decision: BLOCK on the following evidence:
| Rule | Severity | What |
|---|---|---|
MCP-CODE-001 |
critical | child_process.exec with caller-controlled input |
MCP-META-001 |
high | Tool description with an instruction-override phrase ("ignore previous instructions") |
MCP-META-002 |
high | Tool description with a concealment phrase ("do not tell the user") |
MCP-CODE-005 |
medium | Arbitrary filesystem read at a caller-supplied path |
MCP-SUPPLY-003 |
medium | postinstall script runs arbitrary code on npm install |
MCP-CODE-007 |
low | Secret-like environment variable access (GITHUB_TOKEN) |
MCP-SUPPLY-001 |
low | No linked source repository |
See it live
- Actions → latest MCP Trust run
- Security → Code Scanning → the SARIF alerts uploaded by the scan
- Pull Requests → the open demo PR shows the MCP Trust comment and a red ✗ check — that's the scanner gating a change
Why is the check red on PRs but green on main?
The target is vulnerable, so the scan is always BLOCK. On a pull request the job
fails on purpose (fail-on: high) — that's MCP Trust blocking the merge, exactly what
you want in review. On push to main the step is set to continue-on-error, so the
branch badge stays green while the SARIF alerts still populate the Security tab. A green
run here would mean the scanner missed the vulnerabilities.
Try it against your own MCP server
Point the scanner at any public repo, npm package, or local path:
npx @mcp-trust/cli scan github:owner/repo
Or add the Action (the one-liner above) to your own repository's
.github/workflows/. More: MCP Trust
· public benchmark of 452 real MCP servers.
Установка Trust Demo
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/SteveMonsway/mcp-trust-demoFAQ
Trust Demo MCP бесплатный?
Да, Trust Demo MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Trust Demo?
Нет, Trust Demo работает без API-ключей и переменных окружения.
Trust Demo — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Trust Demo в Claude Desktop, Claude Code или Cursor?
Открой Trust Demo на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Trust Demo with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
