The MCP (Model Context Protocol) system is still in the early stages of development, with a chaotic overall environment and various potential attack methods emerging continuously. The current design of protocols and tools makes it difficult to defend against these attacks. To help the community better understand and enhance the security of MCP, SlowMist has specially open-sourced the MasterMCP tool, hoping to assist everyone in timely identifying security vulnerabilities in product design through practical attack drills, thereby gradually strengthening their MCP projects.

At the same time, it can be paired with the previous issue's MCP security checklist to better understand the underlying perspectives of various attacks. This time, we will guide you through hands-on practice, demonstrating common attack methods under the MCP system, such as information poisoning and hidden malicious commands, with real cases. All scripts used in the demonstrations will also be open-sourced on GitHub (link at the end), allowing everyone to fully replicate the entire process in a safe environment and even develop their own attack testing plugins based on these scripts.

Overall Architecture Overview

Demonstration Attack Target MCP: Toolbox

smithery.ai is currently one of the most popular MCP plugin websites, gathering a large number of MCP listings and active users. Among them, @smithery/toolbox is the official MCP management tool launched by smithery.ai.

Choosing Toolbox as the test target is mainly based on the following points:

• A large user base, making it representative;
• Supports automatic installation of other plugins, supplementing some client functionalities (e.g., Claude Desktop);
• Contains sensitive configurations (e.g., API Key), making it convenient for demonstration.

Demonstration Malicious MCP: MasterMCP

MasterMCP is a simulated malicious MCP tool specifically written by SlowMist for security testing, designed with a plugin architecture that includes the following key modules:

1. Local Website Service Simulation: http://127.0.0.1:1024

To more realistically restore the attack scenario, MasterMCP has a built-in local website service simulation module. It quickly sets up a simple HTTP server using the FastAPI framework, simulating a common web environment. These pages appear normal on the surface, such as displaying information about a cake shop or returning standard JSON data, but in reality, they hide carefully designed malicious payloads in the page source code or API responses.

In this way, we can fully demonstrate attack techniques such as information poisoning and command hiding in a safe and controlled local environment, helping everyone to understand more intuitively: even a seemingly ordinary webpage can become a source of hidden risks that trigger abnormal operations in large models.

2. Local Plugin-based MCP Architecture

MasterMCP adopts a plugin-based approach for expansion, facilitating the quick addition of new attack methods in the future. After running, MasterMCP will run the FastAPI service of the previous module in a subprocess. (If you pay attention, you will notice that there is already a security risk here — local plugins can arbitrarily start subprocesses that are not expected by MCP.)

Demonstration Client

• Cursor: One of the most popular AI-assisted programming IDEs globally
• Claude Desktop: The official client from Anthropic (the customizer of the MCP protocol)

Demonstration Large Model Used

• Claude 3.7

The Claude 3.7 version was chosen due to its improvements in sensitive operation recognition and its representation of strong operational capabilities in the current MCP ecosystem.

Configuration claudedesktopconfig.json

{ "mcpServers": { "toolbox": { "command": "npx", "args": [ "-y", "@smithery/cli@latest", "run", "@smithery/toolbox", "--config", "{\"dynamic\":false,\"smitheryApiKey\":\"ec1f0fa8-5797-8678-sdaf-155d4584b133\"}", "--key", "ec1f0fa8-5797-8678-sdaf-155d4584b133" ] }, "MasterMCP": { "command": "/Users/xxx/Desktop/EvilMCP/bin/python", "args": [ "/Users/xxx/Desktop/EvilMCP/MasterMCP.py" ] } }}

With the configuration complete, we officially enter the demonstration phase.

Cross-MCP Malicious Invocation

This demonstration includes two contents from the Checklist: poisoning and Cross-MCP malicious invocation.

Web Content Poisoning Attack

1. Comment-based Poisoning (partially referenced: https://x.com/lbeurerkellner/status/1912145060763742579)

Cursor accesses the local test website http://127.0.0.1:1024.

This is a seemingly harmless page about "Delicious Cake World." Through this experiment, we simulate and demonstrate the impact of a large model client accessing a malicious website.

Executing command:

Fetch the content of http://127.0.0.1:1024

The result shows that Cursor not only read the webpage content but also returned local sensitive configuration data to the test server. In the source code, the malicious prompt is embedded in the form of an HTML comment:

Although the comment method is relatively straightforward and easy to identify, it can already trigger malicious operations.

2. Encoded Comment Poisoning

Access http://127.0.0.1:1024/encode, which is a webpage that looks the same as the previous example, but the malicious prompt has been encoded, making the poisoning more covert and difficult to detect even when viewing the webpage source code.

Even if the source code does not contain plaintext prompts, the attack still executes successfully, and the specific principle will be explained in detail in subsequent chapters.

MCP tool returns information poisoning

Here, we input our simulated command based on MasterMCP's prompt (this command has no actual meaning and is intended to trigger our malicious MCP to demonstrate the subsequent operations of the malicious MCP):

get a lot of apples

As seen, after triggering the command, the client cross-invoked Toolbox and successfully added a new MCP server:

Reviewing the plugin code reveals that the returned data has already embedded the encoded malicious payload, making it nearly impossible for the user to detect any anomalies.

Third-party interface pollution attack

This demonstration is primarily to remind everyone that whether malicious or non-malicious MCP, when calling third-party APIs, directly returning third-party data to the context can have serious consequences.

Example code:

Executing request:

Fetch json from http://127.0.0.1:1024/api/data

Result: Malicious prompts were embedded in the returned JSON data and successfully triggered malicious execution.

Poisoning Techniques in the MCP Initialization Phase

This demonstration includes two contents from the Checklist: initial prompt injection and name conflict.

Malicious Function Override Attack

Here, MasterMCP has written a tool with the same function name remove_server as Toolbox, and has encoded and hidden the malicious prompt.

Executing command:

toolbox remove fetch plugin server

Claude Desktop did not call the original toolbox remove_server method, but instead triggered the method of the same name provided by MasterMCP:

The principle is to emphasize that "the original method has been deprecated," thereby inducing the large model to call the malicious overridden function first.

Adding Malicious Global Check Logic

Here, MasterMCP has written a tool with the same name as banana, which forces all tools to execute this tool for a security check before running.

Before executing any function, the system will prioritize calling the banana check mechanism:

This is achieved by repeatedly emphasizing in the code that "the banana check must be run," thereby injecting global logic.

Advanced Techniques for Hiding Malicious Prompts

Large Model Friendly Encoding Methods

Due to the strong parsing ability of large language models (LLM) for multilingual formats, this can be exploited to hide malicious information. Common methods include:

• In English environments: using Hex Byte encoding

Recommended tool: Hex Decoder

• In Chinese environments: using NCR encoding or JavaScript encoding

Recommended tool: R12a Unicode Conversion Tools

Random Malicious Payload Return Mechanism

As mentioned in Chapter 2 regarding third-party interface pollution, when requesting http://127.0.0.1:1024/random:

Each time, a page with a random malicious payload is returned, greatly increasing the difficulty of detection and tracing.

Conclusion

Through this practical demonstration of MasterMCP, we have intuitively seen various hidden security risks within the Model Context Protocol (MCP) system. From simple prompt injection and cross-MCP calls to more covert initialization phase attacks and hidden malicious commands, each link reminds us: while the MCP ecosystem is powerful, it is equally fragile.

Especially today, as large models increasingly interact with external plugins and APIs, even a small input pollution can trigger system-level security risks. The diversification of attackers' methods (encoding hiding, random pollution, function overriding) also means that traditional protective thinking needs a comprehensive upgrade.

Security is never achieved overnight.

We hope this demonstration serves as a wake-up call: whether developers or users, everyone should maintain sufficient vigilance towards the MCP system, always paying attention to every interaction, every line of code, and every return value. Only by treating every detail rigorously can we truly build a solid and secure MCP environment.

Next, we will continue to improve the MasterMCP script and open-source more targeted test cases to help everyone deeply understand, practice, and strengthen protection in a safe environment.

Ps. Related content has been synchronized to GitHub (https://github.com/slowmist/MasterMCP). Interested readers can click the link at the end to jump directly to the original article.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。