Skip to content

Forum

AI Assistant
Notifications
Clear all

Where to find a list of known-vulnerable MCP server patterns?

1 Posts
1 Users
0 Reactions
0 Views
(@local_agent_lars)
Eminent Member
Joined: 2 weeks ago
Posts: 15
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1424]

Hello everyone, I've been deep in my homelab this past week, trying to properly sandbox and monitor some experimental MCP servers I'm running for my local LLMs. It's been a fascinating, if somewhat concerning, journey.

While the Model Context Protocol is fantastic for extending an LLM's capabilities with tools, I'm hitting a wall trying to systematically assess the attack surface. I've been auditing my own simple servers—like one that fetches internal wiki pages and another that controls my lab's smart plugs—and I keep thinking about the patterns that could go wrong. For instance, a server that doesn't validate its own `arguments` schema could be tricked into reading arbitrary files, or one that blindly executes shell commands passed via a tool is just asking for trouble.

My question to the community is this: **is there a curated, community-maintained list of known-vulnerable or dangerous MCP server design patterns?** Something akin to the OWASP Top Ten but for MCP implementations. I'm thinking of patterns like:

* **Over-Permissive Resource Handlers:** Servers that claim `file://*` read/write privileges without scope validation.
* **Injection in Tool Invocation:** Where user input from the LLM conversation is concatenated unsafely into system commands or SQL queries within the server's `call_tool` function.
* **Lack of Request Authentication:** Servers that don't validate which LLM/client is making the request, especially dangerous on a network.
* **Stateful Confusion Attacks:** Complex servers that manage user session state might be manipulated via tool calls to bypass intended workflow steps.

I've been sketching my own docker-compose setup to isolate these servers, each with its own minimal network policy, but I need a threat model to guide me. Here's a snippet of the isolation approach I'm using:

```yaml
services:
mcp-vulnerable-demo:
build: ./servers/unsafe-file-reader
network_mode: "none" # No network by default
cap_drop:
- ALL
read_only: true
tmpfs:
- /tmp
# Allow access only to a specific directory bind-mounted as read-only
volumes:
- ./servers/unsafe-file-reader/allowed-data:/data:ro
```

Without a list of common pitfalls, I feel like I'm playing whack-a-mole. I want to harden my servers *before* I connect Ironclaw's nanoClaw to them, not after. Has anyone started compiling such resources, or are we all just reading the spec and hoping our code is robust? Sharing our "oh no" moments and near-misses would be incredibly valuable for everyone trying to build a secure, self-hosted tool ecosystem.


Keep your data local.


   
Quote