mcp-pentest
by allsmog
Overview
An AI-driven middleware to orchestrate and manage penetration testing tools and engagements.
Installation
python server.pySecurity Notes
CRITICAL security risks identified. The server is highly vulnerable to command injection in its tool plugins (Nmap, Gobuster, Hydra, John, Nikto). The 'options' parameters in `execute_task` methods directly append user/LLM-supplied input to shell commands without sanitization, allowing arbitrary command execution on the host running the MCP server. Additionally, the Metasploit plugin uses hardcoded default credentials ('msf'/'password') for its RPC connection, posing a significant risk if Metasploit is active and exposed. There is also a general lack of robust input validation for parameters passed to external tools.
Similar Servers
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
ai-soc-agent
An AI-powered Security Operations Center (SOC) agent designed to automate incident response, case management, threat intelligence lookups, EDR actions, and SIEM investigations.
VulneraMCP
An AI-powered platform for automated security testing, vulnerability research, and bug bounty hunting.
mcp-ssh-orchestrator
Provides a secure, policy-driven interface for AI assistants to execute SSH commands on remote servers with granular access control and comprehensive auditing.