Get the FREE Ultimate OpenClaw Setup Guide →

MCP-Penetration-testing

The ultimate OWASP MCP Top 10 security checklist and pentesting framework for Model Context Protocol (MCP), AI agents, and LLM-powered systems.

Installation
Run this command in your terminal to add the MCP server to Claude Code.
Run in terminal:
View docs
Command
claude mcp add --transport stdio mr-infect-mcp-penetration-testing node path/to/server.js \
  --env API_KEY="your-api-key" \
  --env LOG_LEVEL="info" \
  --env MOCK_MODE="true"

How to use

This MCP server implementation provides a structured penetration-testing framework aligned to the MCP Top 10. It exposes a suite of checks and tooling designed to simulate real-world MCP security scenarios, including token mismanagement, privilege escalation via scope creep, tool poisoning, supply chain integrity checks, command and prompt injection vectors, and auditing/telemetry verification. Use the server to run automated checks, generate a measurable security score, and produce actionable remediation guidance. The available tools map directly to the MCP domains: token handling tests, access control and authentication validation, input/output sanitization checks, dependency integrity assessments, and detection/telemetry validation. When you start the server, it will orchestrate these tests, produce results, and summarize risk levels for each MCP Top 10 item.

How to install

Prerequisites:

  • Node.js (v14+ recommended) and npm
  • Access to the MCP server repository (clone or download)

Step-by-step:

  1. Install dependencies
    • git clone <repository-url>
    • cd MCP-Penetration-testing
    • npm install

2)Configure environment (optional but recommended)

  • Create a .env file or export environment variables: API_KEY=your-api-key MOCK_MODE=true LOG_LEVEL=info

3)Run the MCP server

  • node path/to/server.js

4)Verify the server is running

  • Access the provided HTTP interface or API endpoints as documented in the repository (e.g., http://localhost:3000 or the configured port).

Additional notes

Tips and considerations:

  • If you encounter port conflicts, change the server port in your configuration or via an ENV variable (e.g., PORT).
  • Ensure API_KEY and any credentials used by tests are securely stored and rotated regularly.
  • The framework is designed to be extensible; you can add new MCP test modules by following the repository's module pattern and updating the master checklist mappings.
  • For reproducible results, run in a controlled lab environment and document test dates and scores as part of your audit trail.
  • If you see false positives, review the detection rules and adjust thresholds or disable specific tests with environment flags.

Related MCP Servers

toolhive

1.6k

ToolHive makes deploying MCP servers easy, secure and fun

mcp-for-security

558

MCP for Security: A collection of Model Context Protocol servers for popular security tools like SQLMap, FFUF, NMAP, Masscan and more. Integrate security testing and penetration testing into AI workflows.

medusa

172

AI-first security scanner with 76 analyzers, 4,000+ detection rules, 508 FP filters (96.8% reduction), and 133 CVE detections for AI/ML, LLM agents, and MCP servers

agent-security-scanner

70

Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix.

pentesting s-checklist

26

A practical, community-driven checklist for pentesting MCP servers. Covers traffic analysis, tool-call behavior, namespace abuse, auth flows, and remote server risks. Maintained by Appsecco and licensed for remixing.

pentesting-cyber

13

🔐 50+ MCP Security Servers for AI-Powered Pentesting | Integrate Nmap, Burp Suite, Nuclei, Shodan, BloodHound, Semgrep, Trivy | Model Context Protocol for Cybersecurity

Sponsor this space

Reach thousands of developers