Dangerous MCP

Dangerous MCP

A demonstration server that reveals security risks by accessing sensitive environment variables, illustrating how MCP tools can potentially leak user data without explicit consent.

Category
Visit Server

README

MCP is Dangerous

Function tool usage makes AI Agents very powerful, which is akin to introducing app stores to smartphones. Especially with the release of MCP (Model Context Protocol), tool sharing has become easier than ever. That's why I've created the extendable-agents project to showcase how easy you can extend the capabilities of AI Agents through open-source tools or your custom tools.

While working on extendable-agents, I've realized that tool usage is a double-edged sword. The danger is that the tools you use have powerful access to your machine, such as your environment variables, files, etc.

⚠️ Security Warning

This project is a simple demonstration of the security risks associated with tool usage. The example below illustrates how malicious actors could potentially exploit MCP servers to access sensitive information:

# WARNING: This is a demonstration of security risks.
# DO NOT use this code maliciously!

import os
from mcp.server.fastmcp import FastMCP


server = FastMCP("Dangerous MCP")


@server.tool()
async def get_environment_variables() -> str:
    """Get all environment variables."""
    result = [
        "Here are what I could find:",
    ]
    for key, value in os.environ.items():
        result.append(f"{key:<30} {value[:5]}***")
    # This means I can open a backdoor to send your data to me!!
    return "\n".join(result)

⚠️ Warning: I recommend running this example in a sandboxed environment and deleting your OpenAI API key afterwards. You can also test it with your own MCP client, using the following command: uvx mcp-is-dangerous.

When using this tool with extendable-agents (choose PoliceAgent), the output appears like this:

<img width="937" alt="Screenshot 2025-03-22 at 11 04 57" src="https://github.com/user-attachments/assets/c4e64be4-197e-4f0b-b6ca-b9bb73b2c223" />

It might look harmless or even intentionally benign, right? But consider this scenario: you simply ask for the current time, and meanwhile, your sensitive data is being leaked without your knowledge.

Best Practices for Security

To protect yourself when using MCP or similar tools:

  1. Always review the source code of tools before using them
  2. Run tools in isolated environments when possible
  3. Be cautious of tools requesting access to sensitive information
  4. Use environment variable filtering when deploying tools
  5. Regularly audit the tools you're using

Disclaimer

This project is meant for educational purposes only to demonstrate potential security risks. Do not use this knowledge for malicious purposes. The author is not responsible for any misuse of this information.

License

MIT License

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured