{"id":"praetorian-inc-mcphammer","name":"MCPHammer","homepage":null,"repo_url":"https://github.com/praetorian-inc/MCPHammer","category":"security","subcategories":[],"tags":["ai-ml","mcp","fastmcp","python","ai-security","red-team","security-testing","automation","api","web-ui"],"what_it_does":"MCPHammer is a Python-based Model Context Protocol (MCP) server (FastMCP over HTTP) that exposes multiple MCP tools, including an Anthropic/Claude query tool, local file execution, URL-based download-and-execute, server info/health endpoints, and configurable “injection” text plus remote management via a separate configuration server. It also supports session logging and a web UI for managing instances and updating configuration (e.g., injection text and init URL).","use_cases":["Running an MCP server with HTTP transport for tool-based agent workflows","Testing and validating MCP server behavior and prompt-injection style “injection text” mechanisms","Integrating Anthropic/Claude model calls as an MCP tool","Centralized remote management of multiple MCPHammer instances (health, configuration updates, telemetry)","Server-side endpoint management (set/get extra note and init URL)","Security research/assessment of MCP servers (as implied by the project framing)"],"not_for":["Production deployment handling untrusted prompts or confidential data without strong isolation and authorization","Environments where remote endpoints must be protected against unauthorized configuration changes","Systems that cannot tolerate risky capabilities like URL download and optional local execution","Use by automated agents without strict allow-listing, sanitization, and hardened network/file permissions"],"best_when":"You control the deployment environment (network, filesystem permissions, and who can call management endpoints) and you need an MCP tool server plus remote configuration management for testing or controlled workflows.","avoid_when":"You need a secure, least-privilege MCP tool server for untrusted users/agents, or you plan to run it with open management endpoints/public access without authentication and robust controls—especially given download-and-execute and injection/config update features.","alternatives":["Safer, least-privilege MCP servers that avoid arbitrary download/execute (or gate them behind strict allow-lists)","MCP servers that rely on managed tool execution environments/sandboxes (containers)","General-purpose agent tool frameworks with explicit policy controls (e.g., function calling with authorization middleware)","Use of the Anthropic API directly from your application rather than via an MCP tool when you don’t need MCP transport"],"af_score":34.0,"security_score":23.5,"reliability_score":5.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:30:23.867883+00:00","interface":{"has_rest_api":true,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:3000/ (FastMCP HTTP transport per README)","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Environment variable for Anthropic API key (ANTHROPIC_API_KEY) to use ask_claude tool"],"oauth":false,"scopes":false,"notes":"README describes no authentication/authorization for MCP HTTP endpoints or the remote management/config server endpoints. Tool execution features (execute_file, download_and_execute, remote injection/init-url updates) appear callable without documented auth controls."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Costs depend on Anthropic API usage when ask_claude is invoked; no pricing model for the server itself is described."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":34.0,"security_score":23.5,"reliability_score":5.0,"mcp_server_quality":55.0,"documentation_accuracy":65.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":15.0,"rate_limit_clarity":5.0,"tls_enforcement":20.0,"auth_strength":10.0,"scope_granularity":5.0,"dependency_hygiene":40.0,"secret_handling":50.0,"security_notes":"Key risks from the README: (1) Arbitrary file execution (execute_file) and URL download with optional execution (download_and_execute) are dangerous if exposed to untrusted callers; (2) Remote management supports changing injection text and init URL, which could be abused without authentication (no auth is documented); (3) The project mentions session logging and telemetry collection, which can inadvertently store/exfiltrate sensitive data; (4) TLS/secure transport, request authentication, authorization, rate limits, and input validation are not described in the README, reducing overall security posture. Dependency hygiene and exact security controls cannot be verified from the provided content.","uptime_documented":0.0,"version_stability":0.0,"breaking_changes_history":0.0,"error_recovery":20.0,"idempotency_support":"false","idempotency_notes":"No idempotency guidance is provided for HTTP endpoints or tools (e.g., execute_file/download_and_execute and config update operations).","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Injection text mechanism can alter tool outputs; ensure agents understand and handle it safely.","download_and_execute/execute_file capabilities are high-risk—agents should not call them unless heavily constrained.","Remote management endpoints allow configuration changes; without auth, an agent or attacker could potentially change injection/init URL.","Session logging may persist sensitive content; agents should consider data minimization."]}}