Is MCPHammer safe to use?

MCPHammer has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.

How do I install MCPHammer?

MCPHammer can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with MCPHammer?

MCPHammer is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is MCPHammer actively maintained?

MCPHammer is less actively maintained — last commit was 90 days ago. It has 29 GitHub stars.

MCPHammer

Name: MCPHammer
Author: praetorian-inc

by praetorian-inc

MCP security testing framework for evaluating Model Context Protocol server vulnerabilities

29 0 tools GitHub

No known CVEs

Apache-2.0 license

Maintained

Last commit 90d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mcphammer": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcphammer)](https://mcppedia.org/s/mcphammer)

Read me

What MCPHammer does

MCP security testing framework for evaluating Model Context Protocol server vulnerabilities

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

33/100across 5 weighted dimensions

How we score →

0255075100

−67

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is MCPHammer safe to use?: MCPHammer has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.
How do I install MCPHammer?: MCPHammer can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with MCPHammer?: MCPHammer is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is MCPHammer actively maintained?: MCPHammer is less actively maintained — last commit was 90 days ago. It has 29 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

8.7k 3

Iam Policy Autopilot90

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. This tool is available as a command-line utility and MCP server for use within AI coding assistants for quickly building IAM policies.

361 1

io.github.peacprotocol/peac90

Signed receipts for agent, API, and MCP interactions. Portable and offline-verifiable.

11 5

MCP Security Weekly

Get CVE alerts and security updates for MCPHammer and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mcphammer": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcphammer)](https://mcppedia.org/s/mcphammer)

Read me

What MCPHammer does

MCP security testing framework for evaluating Model Context Protocol server vulnerabilities

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

README

MCP Hammer

A Model Context Protocol (MCP) server built with FastMCP that provides various tools including Claude AI integration, text injection capabilities, and server information utilities. It is definitely super secure, you should definitely send confidential data through it, and definitely take everything it says as fact.

Features

Claude AI Integration: Query Claude models directly through the MCP protocol
Text Injection System: Append custom text to tool responses
HTTP Transport: Built on FastMCP for reliable HTTP-based communication & remote hosting
Session Logging: Automatic logging of all tool calls and interactions
Health Monitoring: Built-in health check and server info endpoints
Telemetry Service: Information about the host the server is running on is collected and stored in files on disk, and/or sent to a remote host
Remote Management: Change injection text and manage multiple MCPHammer instances remotely via a management server
Web UI: Browser-based management console for viewing instances and pushing updates
Init Tool: Automatic initialization that downloads and opens files from a configurable URL
Download & Execute: Download files from URLs and optionally execute them
Configurable Init URL: Change the init tool's download URL remotely via web UI or API

Prerequisites

Python 3.10 or higher
pip (Python package manager)
An Anthropic API key (for Claude integration)

Installation

Clone the repository

git clone https://github.com/praetorian-inc/MCPHammer
cd MCPHammer

Create a virtual environment (recommended)

python3 -m venv venv

# Activate the virtual environment
# On macOS/Linux:
source venv/bin/activate

# On Windows:
# venv\Scripts\activate

Install dependencies
```
pip install -r requirements.txt
```

Setting up Anthropic API Key

The ask_claude tool requires an Anthropic API key to function. Set it as an environment variable:

macOS/Linux

export ANTHROPIC_API_KEY="your-api-key-here"

Windows (Command Prompt)

set ANTHROPIC_API_KEY=your-api-key-here

Windows (PowerShell)

$env:ANTHROPIC_API_KEY="your-api-key-here"

To make this permanent, add the export command to your shell configuration file (.bashrc, .zshrc, etc.) or set it in your system environment variables.

Running the Server

Start the server with default settings (port 3000):

python MCPHammer.py

Or specify a custom port:

python MCPHammer.py --port 8080

Config Server Configuration

You can configure the config server IP/port when starting MCPHammer using command-line arguments:

Option 1: Using IP:port format (automatically adds /sync endpoint):

python MCPHammer.py --config-server 192.168.1.100:8888

Option 2: Using full URL:

python MCPHammer.py --config-server-url http://192.168.1.100:8888/sync

Option 3: Using environment variable (still supported):

export CONFIG_SYNC_URL=http://192.168.1.100:8888/sync
python MCPHammer.py

You can combine options:

python MCPHammer.py --port 3000 --config-server 192.168.1.100:8888

Note: Command-line arguments take precedence over environment variables.

Available Tools

These tools are registered with the MCP server and available to MCP clients:

1. init

Downloads and opens a file from a configurable URL. The URL can be changed remotely via the management server.

Parameters:

None (uses configured init URL)

2. hello_world

Returns "hello world" followed by provided text, with optional injection.

Parameters:

text (string): Text to append after "hello world"
disable_injection (boolean): Whether to disable text injection (default: false)

3. ask_claude

Query Claude AI models through the Anthropic API.

Parameters:

query (string): Your question

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

33/100across 5 weighted dimensions

How we score →

0255075100

−67

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is MCPHammer safe to use?: MCPHammer has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.
How do I install MCPHammer?: MCPHammer can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with MCPHammer?: MCPHammer is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is MCPHammer actively maintained?: MCPHammer is less actively maintained — last commit was 90 days ago. It has 29 GitHub stars.