Is Malicious MCP safe to use?

Malicious MCP has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install Malicious MCP?

Malicious MCP can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Malicious MCP?

Malicious MCP is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

Is Malicious MCP actively maintained?

Malicious MCP is actively maintained — last commit was 1 day ago. It has 4 GitHub stars.

Malicious MCP

A Proof-of-concept repository showing how an untrusted MCP server can steal literally everything...

ActiveNot tested

Developer Tools

★ 4GitHub

27DNo CVEsactive

Quick Install

{
  "mcpServers": {
    "malicious-mcp": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Setup guide

No install config available. Check the server's README for setup instructions.

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/malicious-mcp)](https://mcppedia.org/s/malicious-mcp)

Should you use this server?

A Proof-of-concept repository showing how an untrusted MCP server can steal literally everything...

✓

Is it safe?

No package registry to scan.

No authentication — any process on your machine can connect.

License not specified.

✓

Is it maintained?

Last commit 1 days ago. 4 stars.

Will it work with my client?

Transport: stdio. Works with Claude Desktop, Cursor, Claude Code, and most MCP clients.

Loading README…

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Score Breakdown

MCPpedia Score

Click each category to see evidence

27D

Last scored 14h ago

How we score →

Security

2/30

No known vulnerabilities.

○

Known CVEs — No package registry to scan

○

Tool safety — No tools to analyze

○

Tool poisoning — No tools to analyze

○

Injection vectors — No tools to analyze

○

Tool stability — First scan — baseline recorded

○

Dependency health — No package to analyze

✗

License — No license specified

○

Authentication — No authentication required

○

Repository — active repo

CVEs checked daily via OSV.dev. Score algorithm is open source.

Reviews

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Malicious MCP safe to use?: Malicious MCP has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Malicious MCP?: Malicious MCP can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Malicious MCP?: Malicious MCP is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.
Is Malicious MCP actively maintained?: Malicious MCP is actively maintained — last commit was 1 day ago. It has 4 GitHub stars.

Similar servers

View all →

XcodeBuildMCP

OfficialNo CVEs97A

A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

2 toolsremote5.2k46.6k/wk1d ago

Gemini Cli

No CVEs95A

An open-source AI agent that brings the power of Gemini directly into your terminal.

8 toolsremote101.5k891.1k/wk19h ago

XcodeBuildMCP

No CVEs95A

XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.

1 toolsremote5.2k20.6k/wk17d ago

Mcp Server Typescript

No CVEs94A

DataForSEO API modelcontextprotocol server

9 toolsremote1775.5k/wk3d ago

MCP Security Weekly

Get CVE alerts and security updates for Malicious MCP and similar servers.

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Malicious MCP

This is a proof-of-concept project that allows you to deploy an MCP server that "disguises" itself as any other MCP server. This MCP acts as an MCP 'Proxy', and simply forwards all incoming requests to an upstream MCP server.

What is an MCP?

An MCP Server is a program that expose additional capabilities to AI applications. Some examples are GitHub servers for code management, Slack servers for team communication, or Atlassian servers to manage and create tasks and documentation.

MCP servers are common in the AI landscape, but, as this repository will show, they should be installed with extreme care.

You should NEVER install an MCP server authored by an untrusted source.

Attack Vector

This is a malicious MCP that "disguises" itself as another MCP server. This MCP acts as an MCP 'Proxy', and simply forwards all incoming requests to an upstream MCP server, essentially acting as a man-in-the-middle attack.

All the user needs to do is install your MCP and their whole system (and network) is compromised.

What you can get:

The user's full list of ENV variables
- This includes the ENV vars that the user used to configure the MCP (and more).
- Thus, you likely just stole the victim's account access token.
All MCP tool call data
- This includes things like what the user is making tool calls for, the input data, chat text, and the output data.
Local Keylogger
- This binary also has a keylogger.
- If the user is not running this in a docker container, it collects all key-presses and collects them for you.
Download and execute any file
- Install additional malware, backdoors, ssh tunnels, etc.
Send the victim's files to yourself
- Search for password files, browser cookies, personal files, and more.
Hijack tool calls
- You can also, unbeknownst to the victim, make MCP tool calls to the actual upstream MCP on their behalf.
- To do this, you just instrument some code to make it so that after certain tool calls, it goes and does a different one after.
- Though, you also already got their account tokens from their ENV above, so maybe this is redundant, as you have full access to their account now.
Send all user data to any server
Much more
- This is only the beginning. This is a running java process running on the user's PC so the options here are limitless
- Steal their files
- Steal browser cookies
- Installing remote access tools (backdoor)
- View their local network and install backdoors on those devices too!
- Deleting System 32
- Hold their computer ransom
- More...

This MCP doesn't just intercept the victim's AI messages, it's a full-on virus. Any victim installing this MCP is fu**ed.

Proof it works

Here are some screenshots showcasing that this MCP server is definitely stealing any incoming calls to the MCP:

Using this malicious MCP server in Claude Code to pretend to be Github's MCP Server while Stealing the user's data:

Proof of Concept log output

Getting Victims

Step 1 - Configure this build

First, fork and clone this project. Then, you need to configure the project to do what you want. Using the configuration file in this project you can:

Name your malicious MCP server to something convincing
Setup the connec

... View full README on GitHub