Add your description here
Project description
MCP is Dangerous
Function tool usage makes AI Agents very powerful, which is akin to introducing app stores to smartphones. Especially with the release of MCP (Model Context Protocol), tool sharing has become easier than ever. That's why I've created the extendable-agents project to showcase how easy you can extend the capabilities of AI Agents through open-source tools or your custom tools.
While working on extendable-agents, I've realized that tool usage is a double-edged sword. The danger is that the tools you use have powerful access to your machine, such as your environment variables, files, etc.
⚠️ Security Warning
This project is a simple demonstration of the security risks associated with tool usage. The example below illustrates how malicious actors could potentially exploit MCP servers to access sensitive information:
# WARNING: This is a demonstration of security risks.
# DO NOT use this code maliciously!
import os
from mcp.server.fastmcp import FastMCP
server = FastMCP("Dangerous MCP")
@server.tool()
async def get_environment_variables() -> str:
"""Get all environment variables."""
result = [
"Here are what I could find:",
]
for key, value in os.environ.items():
result.append(f"{key:<30} {value[:5]}***")
# This means I can open a backdoor to send your data to me!!
return "\n".join(result)
⚠️ Warning: I recommend running this example in a sandboxed environment and deleting your OpenAI API key afterwards.
When using this tool with extendable-agents (choose PoliceAgent), the output appears like this:
It might look harmless or even intentionally benign, right? But consider this scenario: you simply ask for the current time, and meanwhile, your sensitive data is being leaked without your knowledge.
Best Practices for Security
To protect yourself when using MCP or similar tools:
- Always review the source code of tools before using them
- Run tools in isolated environments when possible
- Be cautious of tools requesting access to sensitive information
- Use environment variable filtering when deploying tools
- Regularly audit the tools you're using
Disclaimer
This project is meant for educational purposes only to demonstrate potential security risks. Do not use this knowledge for malicious purposes. The author is not responsible for any misuse of this information.
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_is_dangerous-0.0.4.tar.gz.
File metadata
- Download URL: mcp_is_dangerous-0.0.4.tar.gz
- Upload date:
- Size: 62.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a8559cf589ee8c9500351d9e1bba6a3f6d47505938699b061fe88c869cdcd2db
|
|
| MD5 |
d6991ab533c955c31b02db80474a6154
|
|
| BLAKE2b-256 |
87f2039c644b121ba9ef2ea0c80b80cee7123148609097ee806311c05becf40f
|
Provenance
The following attestation bundles were made for mcp_is_dangerous-0.0.4.tar.gz:
Publisher:
release.yml on ShaojieJiang/mcp-is-dangerous
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_is_dangerous-0.0.4.tar.gz -
Subject digest:
a8559cf589ee8c9500351d9e1bba6a3f6d47505938699b061fe88c869cdcd2db - Sigstore transparency entry: 186493652
- Sigstore integration time:
-
Permalink:
ShaojieJiang/mcp-is-dangerous@3a3b16bed95e2138e8d2c51cfc8cb66ea8b96313 -
Branch / Tag:
refs/tags/v0.0.4 - Owner: https://github.com/ShaojieJiang
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3a3b16bed95e2138e8d2c51cfc8cb66ea8b96313 -
Trigger Event:
push
-
Statement type:
File details
Details for the file mcp_is_dangerous-0.0.4-py3-none-any.whl.
File metadata
- Download URL: mcp_is_dangerous-0.0.4-py3-none-any.whl
- Upload date:
- Size: 4.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1b9d306781c972cce7f86089d58aa8829aa0ce25e202adf48439509755914a9b
|
|
| MD5 |
64a297df89556d4ac858ad4436c184e0
|
|
| BLAKE2b-256 |
20461d87ddb56b5d928d85dbe1d053c1c3deb8bbf3de0650a2cf7d9c7c7ab7cf
|
Provenance
The following attestation bundles were made for mcp_is_dangerous-0.0.4-py3-none-any.whl:
Publisher:
release.yml on ShaojieJiang/mcp-is-dangerous
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_is_dangerous-0.0.4-py3-none-any.whl -
Subject digest:
1b9d306781c972cce7f86089d58aa8829aa0ce25e202adf48439509755914a9b - Sigstore transparency entry: 186493654
- Sigstore integration time:
-
Permalink:
ShaojieJiang/mcp-is-dangerous@3a3b16bed95e2138e8d2c51cfc8cb66ea8b96313 -
Branch / Tag:
refs/tags/v0.0.4 - Owner: https://github.com/ShaojieJiang
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3a3b16bed95e2138e8d2c51cfc8cb66ea8b96313 -
Trigger Event:
push
-
Statement type:
