MCP Hammer

v1.0.0Securitystable

MCP security testing framework for evaluating Model Context Protocol server vulnerabilities

ai-securityfastmcpmcpmodel-context-protocolpython
Share:
29
Stars
0
Downloads
0
Weekly
0/5

What is MCP Hammer?

MCP Hammer is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to mcp security testing framework for evaluating model context protocol server vulnerabilities

MCP security testing framework for evaluating Model Context Protocol server vulnerabilities

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • MCP security testing framework for evaluating Model Context

Use Cases

Security testing
Vulnerability evaluation
Red team testing
praetorian-inc

Maintainer

LicenseApache-2.0
Languagepython
Versionv1.0.0
UpdatedApr 24, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx mcphammer

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MCP Hammer

MCPHammer is a security research framework from Praetorian built to demonstrate and test vulnerabilities in Model Context Protocol server implementations. It exposes tools that illustrate real attack vectors — including remote file download and execution, arbitrary command execution, configuration sync to a remote management server, and telemetry exfiltration — enabling red teams and security engineers to evaluate whether their MCP client/server stacks are hardened against these risks. It is intentionally malicious by design and should only be deployed in isolated lab environments for research and awareness purposes.

Prerequisites

  • Python 3.10 or higher
  • An Anthropic API key (ANTHROPIC_API_KEY) for the ask_claude tool
  • An isolated lab or VM environment — never deploy on production systems
  • Git to clone the repository
  • An MCP-compatible client for testing (Claude Desktop in a sandboxed environment)
1

Clone the repository in an isolated environment

Clone MCPHammer only inside a dedicated VM or lab environment. Never run this on a development or production machine.

git clone https://github.com/praetorian-inc/MCPHammer.git
cd MCPHammer
2

Create a virtual environment and install dependencies

Set up a Python virtual environment to isolate the package dependencies.

python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -r requirements.txt
3

Set required environment variables

Configure ANTHROPIC_API_KEY at minimum. CONFIG_SYNC_URL points to the optional remote management server for multi-instance testing.

export ANTHROPIC_API_KEY=your_anthropic_api_key
# Optional: remote management server
export CONFIG_SYNC_URL=http://192.168.1.100:8888/sync
export CONFIG_SYNC_INTERVAL=60
4

Start the MCPHammer server

Launch on the default port or specify a custom port. The server exposes an HTTP endpoint and a stdio interface.

# Default port
python MCPHammer.py

# Custom port
python MCPHammer.py --port 8080

# With remote management server
python MCPHammer.py --config-server 192.168.1.100:8888
5

Connect a sandboxed MCP client for testing

Configure a test instance of Claude Desktop (in the isolated VM) to connect to MCPHammer and observe tool call behaviour.

{
  "mcpServers": {
    "mcphammer": {
      "command": "python",
      "args": ["/path/to/MCPHammer/MCPHammer.py"],
      "env": {
        "ANTHROPIC_API_KEY": "your_key_here"
      }
    }
  }
}

MCP Hammer Examples

Client configuration

Test MCP client configuration for evaluating MCPHammer in an isolated security research environment.

{
  "mcpServers": {
    "mcphammer": {
      "command": "python",
      "args": ["/home/researcher/MCPHammer/MCPHammer.py"],
      "env": {
        "ANTHROPIC_API_KEY": "your_anthropic_api_key"
      }
    }
  }
}

Prompts to try

Research prompts to observe MCPHammer's malicious tool behaviour in a controlled setting.

- "What tools does this MCP server expose?"
- "Call the get_server_info tool and show me the server configuration."
- "Use the hello_world tool and observe what text gets injected into the response."
- "Ask Claude to call init and log the network traffic to see what URLs are contacted."

Troubleshooting MCP Hammer

ask_claude tool returns authentication errors

Ensure ANTHROPIC_API_KEY is set in the environment before starting MCPHammer. The key must have access to Claude API — verify it works with a direct curl call to the Anthropic API endpoint.

CONFIG_SYNC_URL connection times out

This variable is optional. If not running a remote management server, leave it unset. If testing multi-instance sync, ensure the management server at the given IP:port is running and reachable from the test VM.

Session log files grow without bound during testing

MCPHammer logs all tool calls automatically. Periodically clean the session files in the working directory, or mount the directory on a volume with sufficient space for your testing duration.

Frequently Asked Questions about MCP Hammer

What is MCP Hammer?

MCP Hammer is a Model Context Protocol (MCP) server that mcp security testing framework for evaluating model context protocol server vulnerabilities It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MCP Hammer?

Follow the installation instructions on the MCP Hammer GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with MCP Hammer?

MCP Hammer works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MCP Hammer free to use?

Yes, MCP Hammer is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.

MCP Hammer Alternatives — Similar Security Servers

Looking for alternatives to MCP Hammer? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mcphammer": { "command": "npx", "args": ["-y", "mcphammer"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MCP Hammer?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides