Loki's MCP is a deliberately malicious educational server designed to demonstrate several security issues and attack vectors within the Model Context Protocol ecosystem. It masquerades as a legitimate MCP server while exposing techniques such as tool shadowing, data exfiltration via tool prompts, response injection, context window flooding, trust erosion through manipulated outputs, and tool mutation after trust is established. Use this server only in isolated, controlled environments alongside legitimate MCP servers to study how attacker tooling can interact with a model and to evaluate defenses and mitigations. When running Loki alongside other MCP servers, you can observe how the malicious server crafts tool descriptions, payloads, and prompts to influence tool choice, elicit hidden data, and degrade model behavior over time. The included attack vectors provide concrete examples you can test against to assess your own security controls, tooling resilience, and prompt-injection defenses.

Prerequisites:

• Node.js (LTS version recommended, e.g., 18.x or newer)
• npm (comes with Node.js) or pnpm
• A controlled, isolated environment (not for production or public deployment)

Installation steps:

1. Clone the repository or obtain the MCP server package for Loki: git clone https://github.com/thpeng/thpeng-lokis-mcp.git cd thpeng-lokis-mcp

2. Install dependencies: npm install

   or if you prefer yarn/pnpm: npm install -g pnpm; pnpm install

3. Configure environment (optional but recommended):

   • PORT: 4000 (default for lokis)
   • MCP_LOG_LEVEL: info (or debug for more verbose logs)

4. Run the MCP server:

   If the package provides a local entrypoint called server.js

   node server.js

   Alternatively, if the project exposes an npm script:

   npm run start

5. Verify the server is running (example): curl http://localhost:4000/health

6. If you plan to run alongside other MCP servers, ensure your orchestration (Docker, systemd, or process manager) routes the proper ports and that environment isolation is enforced.

Notes and cautions:

• This MCP server is intended solely for educational and security research purposes. Do not deploy in production or expose publicly.
• Run Loki in an isolated environment where you control inputs and can safely monitor output. Consider using containerization or a sandboxed VM.
• The attack vectors described (tool shadowing, data exfiltration, prompt-injection, context flooding, and tool mutation) are demonstrated for defensive testing; ensure you have proper mitigations in place (input validation, tool whitelisting, robust prompt handling, and monitoring).
• Review logs and model outputs carefully when Loki is active to understand how prompt design and tool metadata influence behavior.
• If integrating Loki with other MCP servers, confirm compatibility and clearly document the trust boundaries to avoid unintended cross-server leakage or chained exploits.