MasterMCP

v1.0.0Securitystable

A demonstration toolkit revealing potential security vulnerabilities in MCP (Model Context Protocol) frameworks through data poisoning, JSON injection, function overriding, and cross-MCP call attacks, exposing AI security issues while providing defen

mastermcpmcpai-integration
Share:
97
Stars
0
Downloads
0
Weekly
0/5

What is MasterMCP?

MasterMCP is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to demonstration toolkit revealing potential security vulnerabilities in mcp (model context protocol) frameworks through data poisoning, json injection, function overriding, and cross-mcp call attacks, e...

A demonstration toolkit revealing potential security vulnerabilities in MCP (Model Context Protocol) frameworks through data poisoning, JSON injection, function overriding, and cross-MCP call attacks, exposing AI security issues while providing defen

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A demonstration toolkit revealing potential security vulnera

Use Cases

Discover and demonstrate MCP security vulnerabilities including data poisoning and JSON injection. Educational toolkit for hardening AI security.
HC010602

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedApr 20, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx mastermcp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MasterMCP

MasterMCP is an educational security research toolkit that demonstrates real attack vectors against MCP (Model Context Protocol) frameworks, including data poisoning, JSON injection, function overriding, and cross-MCP call exploitation. Security researchers and developers use it to understand how malicious MCP servers can manipulate AI agent behavior, exfiltrate data, or override legitimate tool definitions — and to build defenses against these vulnerabilities. The toolkit is built in Python with a plugin-based architecture that makes it straightforward to add new attack demonstrations or study existing ones.

Prerequisites

  • Python 3.10 or later installed on your system
  • pip or uv package manager available
  • Claude Desktop or another MCP-compatible AI client for testing
  • A sandboxed or isolated environment — never run this toolkit against production AI systems
  • Basic understanding of MCP protocol and AI agent security concepts
1

Clone the MasterMCP repository

Clone the repository to a dedicated research directory. Because this is a security research tool, keep it isolated from your normal development environment.

git clone https://github.com/HC010602/MasterMCP.git
cd MasterMCP
2

Create a virtual environment and install dependencies

Set up a Python virtual environment to keep MasterMCP's dependencies isolated from your system Python. Then install required packages.

python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -r requirements.txt
3

Review the plugin architecture

MasterMCP uses a directory-based plugin system. The tools_plugins/ directory contains individual attack demonstration modules. Review these files to understand what each attack type demonstrates before running them.

ls tools_plugins/
ls resources_plugins/
4

Start the MasterMCP server

Launch the MCP server. It will load all plugins from the tools_plugins/ and resources_plugins/ directories and start listening for connections.

python MasterMCP.py
5

Add the server to your test MCP client configuration

Add MasterMCP to a sandboxed Claude Desktop or test environment. Use absolute paths to the Python interpreter in your virtual environment.

{
  "mcpServers": {
    "mastermcp": {
      "command": "/absolute/path/to/MasterMCP/venv/bin/python",
      "args": ["/absolute/path/to/MasterMCP/MasterMCP.py"]
    }
  }
}
6

Study the attack demonstrations

With the server running in your test client, examine each attack type: data poisoning (contaminating context with false information), JSON injection (malformed payloads that break parsing), function overriding (replacing legitimate tool definitions), and cross-MCP attacks (exploiting trust between MCP servers).

MasterMCP Examples

Client configuration

Test environment configuration for MasterMCP. Always use this in an isolated, sandboxed Claude Desktop profile — never in your primary AI workspace.

{
  "mcpServers": {
    "mastermcp": {
      "command": "/path/to/MasterMCP/venv/bin/python",
      "args": ["/path/to/MasterMCP/MasterMCP.py"]
    }
  }
}

Prompts to try

Use these prompts in a sandboxed test environment to study MCP security vulnerabilities.

- "List all the security demonstration tools available and explain what each one tests."
- "Run the data poisoning demonstration and show me how context contamination affects subsequent responses."
- "Execute the JSON injection test and explain how malformed payloads could compromise an MCP server."
- "Show me the function overriding attack — how can a malicious MCP server replace a trusted tool's definition?"
- "Demonstrate a cross-MCP attack scenario where one server exploits the trust relationship with another."
- "What defensive countermeasures would prevent each of the attack types you just demonstrated?"

Troubleshooting MasterMCP

Server starts but no tools appear in the MCP client

Check that the tools_plugins/ directory exists and contains Python plugin files. Each plugin must define a PLUGIN_INFO dictionary with 'name', 'description', and 'function' keys. Verify there are no syntax errors in the plugin files by running 'python -c "import tools_plugins"' from the project directory.

Python import errors when starting MasterMCP.py

Ensure your virtual environment is activated and all dependencies are installed: 'pip install -r requirements.txt'. If requirements.txt is missing, install the MCP library manually: 'pip install mcp fastapi uvicorn'.

Attack demonstrations produce unexpected or inconsistent results

MCP attack effectiveness depends on the AI client version and its built-in safety measures. Different Claude Desktop versions may have different vulnerability profiles. Document the exact client version when recording research findings, and test across multiple client versions for comprehensive coverage.

Frequently Asked Questions about MasterMCP

What is MasterMCP?

MasterMCP is a Model Context Protocol (MCP) server that demonstration toolkit revealing potential security vulnerabilities in mcp (model context protocol) frameworks through data poisoning, json injection, function overriding, and cross-mcp call attacks, exposing ai security issues while providing defen It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MasterMCP?

Follow the installation instructions on the MasterMCP GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with MasterMCP?

MasterMCP works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MasterMCP free to use?

Yes, MasterMCP is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

MasterMCP Alternatives — Similar Security Servers

Looking for alternatives to MasterMCP? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mastermcp": { "command": "npx", "args": ["-y", "mastermcp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MasterMCP?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides