Mcpwn
Verified Safeby Teycir
Overview
Automated security testing and vulnerability scanning for Model Context Protocol (MCP) servers to detect common vulnerabilities like RCE, path traversal, and injection.
Installation
python3 mcpwn.py python3 test_data/dvmcp_server.pyEnvironment Variables
- ANTHROPIC_API_KEY
Security Notes
Mcpwn is a security scanner designed to generate and inject malicious payloads into target Model Context Protocol (MCP) servers. Its core function involves executing external processes via `subprocess.Popen` and `subprocess.run` to interact with target servers. While this is inherent to its purpose, users should be aware that running it against untrusted or production systems without permission can have severe consequences, as it actively attempts to exploit vulnerabilities. The code itself does not show direct `eval` or intentional self-harm. API keys for LLM integration are mentioned to be handled via environment variables or CLI flags, indicating good practice. Local network listeners (HTTP, DNS) are started for OOB/SSRF detection, which is part of its legitimate testing functionality and not a vulnerability within Mcpwn itself.
Similar Servers
mcp-scanner
A Python tool for scanning MCP (Model Context Protocol) servers and tools for potential security findings by combining Cisco AI Defense inspect API, YARA rules, and LLM-as-a-judge to detect malicious MCP tools.
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers that detects various vulnerabilities in MCP implementations.
mcp-zap-server
Exposes OWASP ZAP security scanning functionalities as Model Context Protocol (MCP) tools, enabling AI agents to orchestrate security assessments and report generation.
mcp-server-fuzzer
A comprehensive CLI-based fuzzing tool for Model Context Protocol (MCP) servers, designed to find vulnerabilities and validate server conformance through both tool argument fuzzing and protocol type fuzzing across multiple transport protocols (HTTP, SSE, Stdio, StreamableHTTP).