Currently, the MCP (Model Context Protocol) system is still in a relatively early stage of development, with a chaotic overall environment where various potential attack methods emerge endlessly. The current protocol and tool design make it difficult to defend. To help the community better understand and enhance the security of MCP, SlowMist has specially open-sourced the MasterMCP tool, hoping to help everyone identify security vulnerabilities in product design through actual attack drills, thereby gradually strengthening their MCP projects.
At the same time, this can be paired with the previous MCP security checklist to better understand the underlying perspectives of various attacks. This time, we will get hands-on practice together, demonstrating common attack methods under the MCP system, such as information poisoning, hiding malicious commands, and other real cases. All scripts used in the demonstrations will be open-sourced to GitHub (link at the end), allowing everyone to fully replicate the entire process in a safe environment, and even develop their own attack test plugins based on these scripts.
Overall architecture overview
Demonstration attack target MCP: Toolbox
smithery.ai is currently one of the most popular MCP plugin websites, gathering a large number of MCP lists and active users. Among them, @smithery/toolbox is the MCP management tool officially launched by smithery.ai.
Selected Toolbox as the test target, mainly based on the following points:
The user base is large and representative;
Supports automatic installation of other plugins to supplement certain client functionalities (such as Claude Desktop);
Contains sensitive configurations (such as API Key), convenient for demonstration.
Malicious MCP used in the demonstration: MasterMCP
MasterMCP is a malicious MCP simulation tool specifically written by SlowMist for security testing, designed with a plugin architecture and includes the following key modules:
1. Local website service simulation: http://127.0.0.1:1024
To more realistically restore the attack scenario, MasterMCP has specially built-in a local website service simulation module. It quickly builds a simple HTTP server using the FastAPI framework to simulate a common webpage environment. These pages appear normal on the surface, such as displaying cake shop information or returning standard JSON data, but in fact, they hide carefully designed malicious payloads in the page source code or interface returns.
Through this method, we can comprehensively demonstrate information poisoning, command hiding, and other attack techniques in a safe and controllable local environment, helping everyone understand more intuitively: even a seemingly ordinary webpage may become a source of hidden dangers that trigger large models to execute abnormal operations.
2. Local pluginized MCP architecture
MasterMCP has adopted a pluginized approach for extension, facilitating the quick addition of new attack methods in the future. After running, MasterMCP will run the FastAPI service of the previous module in a subprocess. (If you pay attention, you will notice that there is already a security risk here - local plugins can arbitrarily start subprocesses that are not expected by MCP)
Demonstration client
Cursor: One of the most popular AI-assisted programming IDEs globally
Claude Desktop: Official client of Anthropic (MCP protocol customizer)
Large model used in the demonstration
Claude 3.7
Choose Claude 3.7 version, as it has made certain improvements in sensitive operation identification and represents a strong operational capability in the current MCP ecosystem.
Configure claude_desktop_config.json
Configuration complete, officially entering the demonstration phase.
Cross-MCP Malicious Invocation
This demonstration includes poisoning and Cross-MCP malicious invocation from the Checklist.
Web content poisoning attack
1. Comment type poisoning (partially reference: https://x.com/lbeurerkellner/status/1912145060763742579)
Cursor access local test website http://127.0.0.1:1024.
This is a seemingly harmless page about 'Delicious Cake World'. Through this experiment, we simulate and demonstrate the impact of the large model client accessing malicious websites.
Execute command:
The results show that the Cursor not only read the webpage content but also returned local sensitive configuration data to the test server. In the source code, the malicious prompt was implanted as an HTML comment:
Although the comment method is relatively straightforward and easy to identify, it can already trigger malicious actions.
2. Encoding type comment poisoning
Access the http://127.0.0.1:1024/encode page, which looks like the previous example, but the malicious prompts have been encoded, making the poisoning exp more hidden, even if you access the webpage source code, it is difficult to directly detect.
Even if the source code does not contain plaintext prompts, the attack can still be successfully executed; the specific principles will be explained in detail in the following chapters.
MCP tool returns information poisoning
Here we input our simulated command based on MasterMCP's prompt instructions (this command has no actual meaning and aims to trigger our malicious MCP to demonstrate the follow-up actions of malicious MCP):
It can be seen that after triggering the command, the client cross-MCP called Toolbox and successfully added a new MCP server:
Looking at the plugin code, it can be found that the returned data has already embedded encoded malicious payloads, making it almost impossible for the user side to detect abnormalities.
Third-party interface pollution attack
This demonstration is mainly to remind everyone that regardless of whether the MCP is malicious or non-malicious, when calling third-party APIs, if third-party data is directly returned to the context, it may have serious consequences.
Example code:
Execute request:
Result: Malicious prompts were implanted into the returned JSON data and successfully triggered malicious execution.
Poisoning technique in the MCP initialization phase
This demonstration includes the initial prompt word injection and name conflict from the Checklist.
Malicious function overriding attack
Here, MasterMCP has written a tool with the same function name remove_server as Toolbox, and encoded to hide the malicious prompts.
Execute command:
Claude Desktop did not call the original `toolbox remove_server` method but instead triggered the method of the same name provided by MasterMCP:
The principle is to prioritize inducing large models to call maliciously overridden functions by emphasizing 'the original method is deprecated'.
Add malicious global check logic
Here, MasterMCP has written a tool that works with banana; the core function of this tool is to force all tools to execute this tool for security checks before running.
Before executing the function each time, the system will prioritize calling the banana check mechanism:
This is achieved through global logic injection by repeatedly emphasizing 'banana detection must be run' in the code.
Advanced techniques for hiding malicious prompts
Model-friendly coding method
Due to the strong parsing ability of large language models (LLM) for multilingual formats, this has instead been exploited to hide malicious information, common methods include:
In an English environment: Use Hex Byte encoding
Tool recommendation: Hex Decoder
In a Chinese environment: Use NCR encoding or JavaScript encoding
Tool recommendation: R12a Unicode Conversion Tools
Random malicious payload return mechanism
As mentioned in Chapter 2 regarding third-party interface pollution, when requesting http://127.0.0.1:1024/random:
Each time it randomly returns a page with malicious payloads, greatly increasing the difficulty of detection and traceability.
Summary
Through this practical demonstration of MasterMCP, we visually see various security risks hidden in the Model Context Protocol (MCP) system. From simple prompt injections, cross-MCP calls, to more hidden initialization phase attacks and malicious command hiding, each link reminds us: although the MCP ecosystem is powerful, it is also fragile.
Especially today, when large models increasingly interact with external plugins and APIs, even slight input pollution can trigger entire system-level security risks. The diversification of attackers' methods (coding concealment, random pollution, function overriding) also means that traditional protection ideas need a comprehensive upgrade.
Safety is never achieved in one go.
I hope this demonstration serves as a wake-up call for everyone: whether developers or users, we should maintain sufficient vigilance towards the MCP system, always paying attention to every interaction, every line of code, and every return value. Only by treating every detail rigorously can we truly build a solid and secure MCP environment.
Next, we will continue to improve the MasterMCP script, open sourcing more targeted test cases to help everyone deeply understand, practice, and strengthen protection in a safe environment.
Ps. Related content has been synchronized to GitHub (https://github.com/slowmist/MasterMCP), interested readers can click on the original text at the end to jump directly.