damn-vulnerable-MCP-Server
An intentionally vulnerable Model Context Protocol (MCP) server and companion web tools (inspector, dashboard, exfil listener) for security training: it simulates a fictional company with multiple departmental toolsets and challenge scenarios that demonstrate common attack classes (prompt/tool injection, SQL/command/path injection, privilege escalation, data exfiltration, TOCTOU, etc.).
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Project is explicitly ‘intentionally vulnerable’ and not meant for production. No auth described; multiple tools intentionally allow insecure behaviors for training (e.g., SQL/command/path injection patterns, privilege escalation, exfiltration concepts). TLS details for any HTTP components are not provided. Uses a shared SQLite DB across departments (not isolated). Fake data reduces risk of real sensitive leakage, but the service design is still unsafe if exposed to untrusted parties.
⚡ Reliability
Best When
Used locally or in isolated containers for education and experimentation, with fake/seeded data.
Avoid When
Avoid deploying publicly or sharing the service/DB across untrusted users, since the project explicitly includes vulnerabilities and cross-department data access.
Use Cases
- • Hands-on security training for agents using MCP
- • Defensive evaluation of agent/tool use under realistic failure modes
- • Red-team style exercises in a controlled sandbox
- • Building/validating detection and mitigation strategies for agent vulnerabilities
Not For
- • Production use or any environment where misuse could cause harm
- • Real-world sensitive data access or exfiltration testing against external systems
- • Environments requiring strong security boundaries or strict isolation between tool domains
Interface
Authentication
No authentication described for the MCP server or companion services; intended for local/isolated training. If exposed, it would be trivially accessible.
Pricing
Open-source-style educational project; no hosted pricing information provided.
Agent Metadata
Known Gotchas
- ⚠ The MCP server communicates over stdio (JSON-RPC), not HTTP—agents must spawn/connect via an MCP host configuration.
- ⚠ The inspector proxy exists but is an HTTP wrapper around the stdio MCP process; avoid assuming direct HTTP calls to the MCP server.
- ⚠ Difficulty modes intentionally weaken protections (e.g., ‘zero sanitization’ at Beginner), so agent behavior and expected failures vary by mode.
- ⚠ Shared SQLite across departments means cross-domain effects are expected (and intentionally enabled), which can surprise agents relying on isolation.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for damn-vulnerable-MCP-Server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.