bad-mcp is a collection of intentionally malicious MCP servers designed to demonstrate protocol-level attack patterns against AI clients. The project provides a Docker Compose setup that spins up ten attack servers, each listening on its designated port (8001 through 8010) and exposing an SSE endpoint for MCP clients to connect. Once started, you can connect an SSE-compatible MCP client to the servers via their respective URLs (for example, http://localhost:8001/sse for schema-poison-notes, http://localhost:8002/sse for response-inject-tickets, and so on). The tools highlight vulnerabilities such as full-schema poisoning, tool description manipulation, cross-server tool shadowing, and other MCP protocol tricks. Researchers can observe how clients handle deceptive tool descriptions, mutated schemas, and chained tool outputs across servers.

To experiment, bring up the stack with Docker Compose, then pick a target server to observe. The quick-start tip suggests beginning with tool-poisoning-calc (port 8005) to see straightforward tool description poisoning, and then advancing to true-rug-pull (port 8006) to study how session tools and notifications mutate under attack. Use an MCP client to subscribe to the SSE streams and inspect the tool descriptions, schema changes, and responses to gauge client resilience and mitigation effectiveness.

Prerequisites

• Docker and Docker Compose installed on your machine.
• Basic familiarity with running containers and MCP clients.

Installation steps

1. Clone the repository: git clone https://github.com/your-org/bad-mcp.git cd bad-mcp

2. Ensure Docker is running and Docker Compose is available.

3. Start the MCP stack: docker compose up -d

   or if your setup uses an older syntax: docker-compose up -d

4. Verify containers are running: docker ps

5. Connect an MCP client to any server SSE endpoint, for example:

   • http://localhost:8001/sse
   • http://localhost:8002/sse ... up to http://localhost:8010/sse

6. To stop the stack: docker compose down

   or docker-compose down

Notes and tips:

• This project is for authorized security research and education only. Do not expose to the internet or use in production.
• Each server exposes a dedicated SSE endpoint on ports 8001-8010; use a client that supports the MCP SSE transport to observe tool descriptions, schemas, and resource interactions.
• If you modify the environment, ensure no host network exposure or privileged container settings are enabled.
• Logs and test harnesses live inside Docker; use docker logs <container> to inspect a particular server’s activity.
• This setup emphasizes attack patterns; rely on your MCP client’s resilience checks and mitigation strategies to test defenses.