{"id":"kyze-labs-damn-vulnerable-mcp-server","name":"damn-vulnerable-MCP-Server","homepage":null,"repo_url":"https://github.com/Kyze-Labs/damn-vulnerable-MCP-Server","category":"ai-ml","subcategories":[],"tags":["mcp","security-training","vulnerable-by-design","agent-security","python","json-rpc","training","ctf"],"what_it_does":"An intentionally vulnerable Model Context Protocol (MCP) server and companion web tools (inspector, dashboard, exfil listener) for security training: it simulates a fictional company with multiple departmental toolsets and challenge scenarios that demonstrate common attack classes (prompt/tool injection, SQL/command/path injection, privilege escalation, data exfiltration, TOCTOU, etc.).","use_cases":["Hands-on security training for agents using MCP","Defensive evaluation of agent/tool use under realistic failure modes","Red-team style exercises in a controlled sandbox","Building/validating detection and mitigation strategies for agent vulnerabilities"],"not_for":["Production use or any environment where misuse could cause harm","Real-world sensitive data access or exfiltration testing against external systems","Environments requiring strong security boundaries or strict isolation between tool domains"],"best_when":"Used locally or in isolated containers for education and experimentation, with fake/seeded data.","avoid_when":"Avoid deploying publicly or sharing the service/DB across untrusted users, since the project explicitly includes vulnerabilities and cross-department data access.","alternatives":["General-purpose MCP servers you control and harden yourself","Security-focused sandbox frameworks (CTFs) that do not include intentionally exploitable agent behaviors","Custom minimal MCP tool servers with strict input validation and no intentional vulnerability modes"],"af_score":60.5,"security_score":24.0,"reliability_score":31.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:55:28.362088+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":[],"oauth":false,"scopes":false,"notes":"No authentication described for the MCP server or companion services; intended for local/isolated training. If exposed, it would be trivially accessible."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Open-source-style educational project; no hosted pricing information provided."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":60.5,"security_score":24.0,"reliability_score":31.2,"mcp_server_quality":55.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":95.0,"rate_limit_clarity":60.0,"tls_enforcement":10.0,"auth_strength":5.0,"scope_granularity":10.0,"dependency_hygiene":45.0,"secret_handling":60.0,"security_notes":"Project is explicitly ‘intentionally vulnerable’ and not meant for production. No auth described; multiple tools intentionally allow insecure behaviors for training (e.g., SQL/command/path injection patterns, privilege escalation, exfiltration concepts). TLS details for any HTTP components are not provided. Uses a shared SQLite DB across departments (not isolated). Fake data reduces risk of real sensitive leakage, but the service design is still unsafe if exposed to untrusted parties.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":50.0,"error_recovery":35.0,"idempotency_support":"false","idempotency_notes":"No explicit idempotency guarantees described. Many training tools likely perform state changes (e.g., DB writes) depending on difficulty/challenge.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["The MCP server communicates over stdio (JSON-RPC), not HTTP—agents must spawn/connect via an MCP host configuration.","The inspector proxy exists but is an HTTP wrapper around the stdio MCP process; avoid assuming direct HTTP calls to the MCP server.","Difficulty modes intentionally weaken protections (e.g., ‘zero sanitization’ at Beginner), so agent behavior and expected failures vary by mode.","Shared SQLite across departments means cross-domain effects are expected (and intentionally enabled), which can surprise agents relying on isolation."]}}