Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Trust Demo

БесплатноНе проверен

An intentionally vulnerable MCP server designed as a live demo target for the MCP Trust security scanner. It contains deliberate insecure patterns to demonstrat

GitHubEmbed

Описание

An intentionally vulnerable MCP server designed as a live demo target for the MCP Trust security scanner. It contains deliberate insecure patterns to demonstrate scanning capabilities.

README

Scanned by MCP Trust MCP Trust

⚠️ This repository is intentionally vulnerable

It contains a deliberately insecure MCP server that exists only as a live demo target for the MCP Trust scanner. Do not install, run, import, or copy this code. There is no real functionality here — every risky pattern is on purpose. The exfiltration URL (attacker.example) is a reserved, non-routable domain; there are no real secrets.

What this repo demonstrates

That wiring MCP Trust into a repo's CI takes one line, and that it catches real issues in an MCP server before an agent ever connects to it:

# .github/workflows/mcp-trust.yml
- uses: actions/checkout@v4
- uses: SteveMonsway/mcp-trust@v1
  with:
    fail-on: high
    upload-sarif: true   # → GitHub Security / Code Scanning alerts
    comment-pr: true     # → summary comment on pull requests

That's the entire integration. Full inputs/outputs: the MCP Trust GitHub Action.

What MCP Trust flags here

Scanning server.js + package.json produces Decision: BLOCK on the following evidence:

Rule Severity What
MCP-CODE-001 critical child_process.exec with caller-controlled input
MCP-META-001 high Tool description with an instruction-override phrase ("ignore previous instructions")
MCP-META-002 high Tool description with a concealment phrase ("do not tell the user")
MCP-CODE-005 medium Arbitrary filesystem read at a caller-supplied path
MCP-SUPPLY-003 medium postinstall script runs arbitrary code on npm install
MCP-CODE-007 low Secret-like environment variable access (GITHUB_TOKEN)
MCP-SUPPLY-001 low No linked source repository

See it live

  • Actionslatest MCP Trust run
  • Security → Code Scanningthe SARIF alerts uploaded by the scan
  • Pull Requests → the open demo PR shows the MCP Trust comment and a red ✗ check — that's the scanner gating a change

Why is the check red on PRs but green on main?

The target is vulnerable, so the scan is always BLOCK. On a pull request the job fails on purpose (fail-on: high) — that's MCP Trust blocking the merge, exactly what you want in review. On push to main the step is set to continue-on-error, so the branch badge stays green while the SARIF alerts still populate the Security tab. A green run here would mean the scanner missed the vulnerabilities.

Try it against your own MCP server

Point the scanner at any public repo, npm package, or local path:

npx @mcp-trust/cli scan github:owner/repo

Or add the Action (the one-liner above) to your own repository's .github/workflows/. More: MCP Trust · public benchmark of 452 real MCP servers.

from github.com/SteveMonsway/mcp-trust-demo

Установка Trust Demo

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/SteveMonsway/mcp-trust-demo

FAQ

Trust Demo MCP бесплатный?

Да, Trust Demo MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Trust Demo?

Нет, Trust Demo работает без API-ключей и переменных окружения.

Trust Demo — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Trust Demo в Claude Desktop, Claude Code или Cursor?

Открой Trust Demo на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Trust Demo with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development