Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/Puliczek/awesome-mcp-security

πŸ”₯πŸ”’ Awesome MCP (Model Context Protocol) Security πŸ–₯️
https://github.com/Puliczek/awesome-mcp-security

List: awesome-mcp-security

awesome-list bugbounty bugbountytips cybers exploit mcp mcp-client mcp-server mcp-servers pentesting poc security security-writeups writeups

Last synced: 14 days ago
JSON representation

πŸ”₯πŸ”’ Awesome MCP (Model Context Protocol) Security πŸ–₯️

Awesome Lists containing this project

README 

        
🀝 Show your support - give a ⭐️ if you liked the content




---



# **Awesome MCP Security [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)**



Everything you need to know about Model Context Protocol (MCP) security.



## Table of Contents



- [Awesome MCP Security](#awesome-mcp-security-)

  - πŸ“” [Security Considerations](#-security-considerations)

  - πŸ“ƒ [Papers](#-papers)

  - πŸ“Ί [Videos](#-videos)

  - πŸ“• [Articles, X threads and Blog Posts](#-articles-x-threads-and-blog-posts)

  - πŸ§‘β€πŸš€ [Tools and code](#-tools-and-code)

  - πŸ’Ύ [MCP Security Servers](#-mcp-security-servers)

  - πŸ’» [Other Useful Resources](#-other-useful-resources)

 

## πŸ“” Security Considerations

Official Security Considerations from the [Official MCP Specification Rev: 2025-03-26](https://modelcontextprotocol.io/specification/2025-03-26/server/tools)



> [!NOTE] 

> 15.04.2025: The current MCP [auth specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) is in progress of being replaced by a more [robust specification](https://github.com/modelcontextprotocol/specification/pull/284). Please join the conversation if you have concerns around the current auth specification.



- Servers **MUST**:

  - Validate all tool inputs

  - Implement proper access controls

  - Rate limit tool invocations

  - Sanitize tool outputs

    

- Clients **SHOULD**:

  - Prompt for user confirmation on sensitive operations

  - Show tool inputs to the user before calling the server, to avoid malicious or accidental data exfiltration

  - Validate tool results before passing to LLM

  - Implement timeouts for tool calls

  - Log tool usage for audit purposes

    

> [!WARNING]  

> For trust & safety and security, clients **MUST** consider tool annotations to be untrusted unless they come from trusted servers.



> [!WARNING]  

> For trust & safety and security, there **SHOULD** always be a human in the loop* with the ability to deny tool invocations.

>

> Applications **SHOULD**:

>

> - Provide UI that makes clear which tools are being exposed to the AI model.

> - Insert clear visual indicators when tools are invoked.

> - Present confirmation prompts to the user for operations, to ensure a human is in the loop.



> [!NOTE]  

> *Human-in-the-Loop (HITL) means that user help monitor and guide automated tasks, like deciding whether to accept tool requests in Cursor.

 

## πŸ“ƒ Papers



- (2025-04) [MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits by Brandon Radosevich, John Halloran](https://arxiv.org/abs/2504.03767)

- (2025-03) [Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions by Xinyi Hou, Yanjie Zhao, Shenao Wang, Haoyu Wang](https://arxiv.org/abs/2503.23278)



## πŸ“Ί Videos



- (11.04.2025) [This MCP Server Trick Can Steal Your API Keys by Prompt Engineering](https://www.youtube.com/watch?v=86e49wcXst4)

- (09.04.2025) [MCP Servers are Security Nightmares... by Better Stack](https://www.youtube.com/watch?v=CRKYNyMc4PM)

- (03.04.2025) [MCP Security: Vetting Servers to Mitigate Tool Poisoning Attacks by JeredBlue](https://www.youtube.com/watch?v=LYUDUOevtqk)

- (03.04.2025) [Model Context Protocol (MCP) Security Concerns by Cory Wolff](https://www.youtube.com/watch?v=3DEqIquWCQ4)

 

## πŸ“• Articles, X threads and Blog Posts 



- (19.04.2025) [OAuth's Role in MCP Security by Gunnar Peterson](https://defensiblesystems.substack.com/p/oauths-role-in-mcp-security)

- (17.04.2025) [MCP Not Safe - Reasons and Ideas by Phala Network](https://phala.network/posts/MCP-Not-Safe-Reasons-and-Ideas)

- (15.04.2025) [MCP can be a security nightmare for building AI Agents by Rakesh Gohel](https://www.linkedin.com/posts/rakeshgohel01_mcp-can-be-a-security-nightmare-for-building-activity-7317536567315636225-zKFp/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAB_LYZwBepPqbIN5g8KzxPVSyzHNUgJhBew)

- (15.04.2025) [Model Context Protocol (MCP) aka Multiple Cybersecurity Perils by Chris Martorella](https://chrismartorella.ghost.io/model-context-protocol-mcp-aka-multiple-cybersecurity-perils/)

- (14.04.2025) [Model Context Protocol (MCP) Security by Evren](https://evren.ninja/mcp-security.html)

- (14.04.2025) [Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights by Nicky](https://medium.com/@foraisec/security-analysis-potential-ai-agent-hijacking-via-mcp-and-a2a-protocol-insights-cd1ec5e6045f)

- (14.04.2025) [MCP Security Checklist: A Security Guide for the AI Tool Ecosystem by slowmist](https://github.com/slowmist/MCP-Security-Checklist)

- (13.04.2025) [Everything Wrong with MCP by Shrivu Shankar](https://blog.sshh.io/p/everything-wrong-with-mcp)

- (11.04.2025) [Diving Into the MCP Authorization Specification by Allen Zhou](https://www.descope.com/blog/post/mcp-auth-spec)

- (11.04.2025) [Vulnerability Discovered in Base-MCP: Hackers Can Redirect Transactions on Cursor AI and Anthropic Claude by @jlwhoo7](https://x.com/jlwhoo7/status/1911056723710026120)

- (09.04.2025) [Here's an example of remote MCP malware that steals your .env secrets in @cursor_ai by Maciej Pulikowski](https://x.com/pulik_io/status/1910053590921535992)

- (09.04.2025) [Old Security Rakes In New MCP Yards by Den Delimarsky](https://den.dev/blog/security-rakes-mcp/)

- (09.04.2025) [Model Context Protocol has prompt injection security problems by Simon Willisons](https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/)

- (07.04.2025) [(RFC) Update the Authorization specification for MCP servers #284 by localden](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/284)

- (07.04.2025) [Improving The Model Context Protocol Authorization Spec - One RFC At A Time by Den Delimarsky](https://den.dev/blog/model-context-protocol-oauth-rfc/)

- (07.04.2025) [Running MCP Tools Securely by mcp.run](https://docs.mcp.run/blog/2025/04/07/mcp-run-security/)

- (07.04.2025) [WhatsApp MCP Exploited: Exfiltrating your message history via MCP by invariantlabs.ai](https://invariantlabs.ai/blog/whatsapp-mcp-exploited)

- (07.04.2025) [An Introduction to MCP and Authorization by auth0](https://auth0.com/blog/an-introduction-to-mcp-and-authorization/)

- (06.04.2025) [The β€œS” in MCP Stands for Security by Elena Cross](https://elenacross7.medium.com/%EF%B8%8F-the-s-in-mcp-stands-for-security-91407b33ed6b)

- (04.04.2025) [MCP Servers are not safe! by Mehul Gupta](https://medium.com/data-science-in-your-pocket/mcp-servers-are-not-safe-bfbc2bb7aef8)

- (03.04.2025) [Let's fix OAuth in MCP by Aaron Parecki](https://aaronparecki.com/2025/04/03/15/oauth-for-model-context-protocol)

- (03.04.2025) [MCP Resource Poisoning Prompt Injection Attacks by Bernard IQ](https://www.bernardiq.com/blog/resource-poisoning/)

- (01.04.2025) [MCP Security Notification: Tool Poisoning Attacks by invariantlabs.ai](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks)

- (31.03.2025) [The MCP Authorization Spec Is... a Mess for Enterprise by Christian Posta](https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/)

- (31.03.2025) [Securing the Model Context Protocol by Alex Rosenzweig](https://block.github.io/goose/blog/2025/03/31/securing-mcp/)

- (29.03.2025) [MCP Servers: The New Security Nightmare by equixly.com](https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare)

- (23.03.2025) [AI Model Context Protocol (MCP) and Security by Cisco](https://community.cisco.com/t5/security-blogs/ai-model-context-protocol-mcp-and-security/ba-p/5274394)

- (13.02.2025) [Chained commands (&&) bypass yolo mode β€œdenylist” in Cursor by lukemmtt](https://forum.cursor.com/t/chained-commands-bypass-yolo-mode-denylist/50775)



## πŸ§‘β€πŸš€ Tools and code

- [mcpscan.ai](https://mcpscan.ai/)

- [Damn Vulnerable MCP Server by harishsg993010](https://github.com/harishsg993010/damn-vulnerable-MCP-server)

- [ToolHive - making MCP servers easy and secure by StacklokLabs](https://github.com/StacklokLabs/toolhive)

- [MCP-Shield – Detect security issues in MCP servers by riseandignite](https://github.com/riseandignite/mcp-shield)

- [mcp-scan by invariantlabs-ai](https://github.com/invariantlabs-ai/mcp-scan)

- [MCP Ethical Hacking by cmpxchg16](https://github.com/cmpxchg16/mcp-ethical-hacking)

- [mcp-injection-experiments by invariantlabs-ai](https://github.com/invariantlabs-ai/mcp-injection-experiments)



## πŸ’Ύ MCP Security Servers

- [GhidraMCP by LaurieWired](https://github.com/LaurieWired/GhidraMCP) - MCP server for automatic reverse engineering in Ghidra, a software reverse engineering platform.

- [IDA-Pro-MCP by mrexodia](https://github.com/mrexodia/ida-pro-mcp) - MCP server for reverse engineering in IDA Pro, a tool for analyzing software and binary files.

- [binaryninja-mcp by MCPPhalanx](https://github.com/MCPPhalanx/binaryninja-mcp) - MCP server for Binary Ninja, a binary analysis tool.

- [Burp Suite MCP by PortSwigger](https://github.com/PortSwigger/mcp-server) - MCP integration for web security testing in Burp Suite, a security testing tool for web applications.

- [BloodHound-MCP-AI by MorDavid](https://github.com/MorDavid/BloodHound-MCP-AI) - MCP server integration for BloodHound, a tool for analyzing Active Directory domains.

- [RoadRecon MCP by atomicchonk](https://github.com/atomicchonk/roadrecon_mcp_server) - MCP server for Azure AD data analysis with ROADRecon, a tool for mapping Azure Active Directory environments.

- [Jadx MCP Plugin by mobilehackinglab](https://github.com/mobilehackinglab/jadx-mcp-plugin) - Jadx plugin for MCP server access via HTTP, used for decompiling Android apps.

- [VirusTotal MCP Server by BurtTheCoder](https://github.com/BurtTheCoder/mcp-virustotal) - MCP server for querying the VirusTotal API, a service for analyzing files and URLs for viruses.

- [Shodan MCP Server by BurtTheCoder](https://github.com/BurtTheCoder/mcp-shodan) - MCP server for querying the Shodan API, which provides data on Internet-connected devices.

- [DNStwist MCP Server by BurtTheCoder](https://github.com/BurtTheCoder/mcp-dnstwist) - MCP server for DNS fuzzing with dnstwist, a tool for detecting phishing and domain takeover threats.

- [Maigret MCP Server by BurtTheCoder](https://github.com/BurtTheCoder/mcp-maigret) - MCP server for OSINT data collection with Maigret, a tool that gathers user info from various sources.

  

## πŸ’» Other Useful Resources



- (31.03.2025) [I gave Claude root access to my server... Model Context Protocol explained by Fireship](https://www.youtube.com/watch?v=HyzlYwjoXOQ)

- (17.03.2025) [Model Context Protocol (MCP): The Key To Agentic AI by Jack Herrington](https://www.youtube.com/watch?v=VChRPFUzJGA)

- [Official MCP Specification](https://modelcontextprotocol.io/specification/2025-03-26/server/tools)

- [Model Context Protocol - Official MCP website](https://modelcontextprotocol.io/) 



 

# 😎 Contributing

πŸ‘πŸŽ‰ First off, thanks for taking the time to contribute! πŸŽ‰πŸ‘



[Please read and follow our contributing guide](https://github.com/Puliczek/awesome-mcp-security/blob/main/CONTRIBUTING.md)



Thanks! πŸ¦„



# 🀝 Show your support



🀝 Show your support - give a ⭐️ if you liked the content



# βœ”οΈ Disclaimer

This project can only be used for educational purposes. Using this resource against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.