Malicious MCP Parsing: Covert Poisoning and Manipulation in the MCP System

The MCP (Model Context Protocol) system is still in its early stages of development, with the overall environment being quite chaotic, and various potential attack methods continuously emerging. The current design of the protocol and tools makes it difficult to defend against these threats. To help the community better understand and improve the security of MCP, SlowMist has specifically open-sourced the MasterMCP tool. Through actual attack drills, we aim to help everyone identify security vulnerabilities in product designs and progressively strengthen their MCP projects.

At the same time, you can refer to the previous MCP security checklist to gain a better understanding of the underlying perspectives of various attacks. This time, we will guide you through practical exercises and demonstrate common attack methods within the MCP system, such as information poisoning, hidden malicious instructions, and other real-world cases. All scripts used in the demonstrations will also be open-sourced on GitHub (link at the end of the article), allowing everyone to fully replicate the entire process in a secure environment, or even develop their own attack testing plugins based on these scripts.

Overview of the Overall Architecture

Demonstration Attack Target: MCP Toolbox

smithery.ai is one of the most popular MCP plugin platforms, gathering a large number of MCP listings and active users. Among its offerings, @smithery/toolbox is the official MCP management tool launched by smithery.ai.

The choice of Toolbox as the test target is primarily based on the following reasons:

• It has a large user base, making it representative.
• It supports the automatic installation of other plugins, supplementing certain client-side functions (such as Claude Desktop).
• It contains sensitive configurations (such as API Keys), making it suitable for demonstration purposes.

Malicious MCP Used for Demonstration: MasterMCP

MasterMCP is a malicious MCP simulation tool developed by SlowMist specifically for security testing. It follows a plugin-based architecture design and includes the following key modules:

1. Local Website Service Simulation: http://127.0.0.1:1024

To better replicate the attack scenario, MasterMCP integrates a local website service simulation module. It quickly sets up a simple HTTP server using the FastAPI framework, simulating common web environments. These pages may appear normal on the surface, such as displaying cake shop information or returning standard JSON data. However, hidden within the page source code or the interface responses are carefully crafted malicious payloads.

Through this approach, we can fully demonstrate attack techniques like information poisoning and instruction hiding in a safe, controlled local environment. This helps everyone better understand that even a seemingly ordinary webpage can potentially be a source of risk that triggers abnormal operations in large models.

2. Local Plugin-based MCP Architecture

MasterMCP adopts a plugin-based approach for expansion, making it easy to quickly add new attack methods in the future. After running, MasterMCP launches the FastAPI service of the previous module in a child process. (If you’re paying close attention, you’ll notice a security vulnerability here — local plugins can arbitrarily start child processes that are not expected by the MCP.)

Demonstration Clients

• Cursor: One of the most popular AI-assisted programming IDEs globally.
• Claude Desktop: The official client developed by Anthropic (the customizer of the MCP protocol).

Large Model Used for Demonstration

• Claude 3.7

The Claude 3.7 version was chosen due to its improvements in recognizing sensitive operations, while also representing the current strong operational capabilities within the MCP ecosystem.

Configuration: claude_desktop_config.json

{
  "mcpServers": {
    "toolbox": {
      "command": "npx",
      "args": [
        "-y",
        "@smithery/cli@latest",
        "run",
        "@smithery/toolbox",
        "--config",
        "{\"dynamic\":false,\"smitheryApiKey\":\"ec1f0fa8-5797-8678-sdaf-155d4584b133\"}",
        "--key",
        "ec1f0fa8-5797-8678-sdaf-155d4584b133"
      ]
    },
    "MasterMCP": {
      "command": "/Users/xxx/Desktop/EvilMCP/bin/python",
      "args": [
        "/Users/xxx/Desktop/EvilMCP/MasterMCP.py"
      ]
    }
  }
}

With the configuration complete, we now officially enter the demonstration phase.

Cross-MCP Malicious Invocation

This demonstration includes two aspects from the checklist: information poisoning and Cross-MCP malicious calls.

Website Content Poisoning Attack

1. Comment-based Poisoning (Partially Referenced: https://x.com/lbeurerkellner/status/1912145060763742579)

Cursor accesses the local test website at http://127.0.0.1:1024.

This is a seemingly harmless page about the “Delicious Cake World.” Through this experiment, we simulate and demonstrate the impact caused when a large model client accesses a malicious website.

Executing the Command:

Fetch the content of http://127.0.0.1:1024

The result shows that Cursor not only read the webpage content but also sent sensitive local configuration data back to the test server. In the source code, the malicious prompt was embedded in the form of an HTML comment:

Although the comment-based method is relatively straightforward and easy to detect, it can still trigger malicious operations.

2. Encoded Comment Poisoning

Access the page at http://127.0.0.1:1024/encode. This page appears similar to the previous example, but the malicious prompt has been encoded, making the poisoning exploit more covert. Even if the webpage source code is inspected, it would be difficult to directly notice the malicious payload.

Even though the source code does not contain plaintext prompts, the attack is still successfully executed. The specific mechanism behind this will be explained in detail in the following sections.

MCP Tool Response Information Poisoning

Here, we input our simulated command based on the prompt instructions from MasterMCP (the command has no actual meaning but is designed to trigger our malicious MCP and demonstrate the subsequent operations of the malicious MCP):

get a lot of apples

As seen, after triggering the command, the client made a Cross-MCP call to Toolbox and successfully added a new MCP server:

By inspecting the plugin code, it can be seen that the returned data already contains the encoded malicious payload, making it nearly impossible for the user to detect any anomalies.

Third-Party Interface Pollution Attack

This demonstration is primarily to remind everyone that whether the MCP is malicious or not, when calling third-party APIs, directly returning third-party data into the context can lead to serious consequences.

Example Code:

Executing the Command:

Fetch json from http://127.0.0.1:1024/api/data  

Result: The malicious prompt was embedded into the returned JSON data and successfully triggered the malicious execution.

Poisoning Techniques During the MCP Initialization Phase

This demonstration includes two aspects from the checklist: initial prompt injection and name collision.

Malicious Function Overwrite Attack

Here, MasterMCP has created a tool with the same function name, remove_server, as Toolbox, and has encoded the malicious prompt to hide it.

Executing the Command:

toolbox remove fetch plugin server

Claude Desktop did not call the original toolbox remove_server method, but instead triggered the method with the same name provided by MasterMCP:

The principle behind this is to emphasize that “the original method is deprecated,” thereby prioritizing the large model to call the maliciously overwritten function.

Adding Malicious Global Check Logic

Here, MasterMCP has created a tool similar to the banana tool. The core function of this tool is to enforce a security check before any tool runs by requiring it to execute this tool first in the prompt.

Before executing any function, the system will first prioritize calling the banana check mechanism:

This is achieved through global logic injection by repeatedly emphasizing in the code that the “banana check must be run” before any other execution.

Advanced Techniques for Hiding Malicious Prompts

LLM-Friendly Encoding Methods

Since large language models (LLMs) have strong parsing capabilities for multiple languages, this ability can be exploited to hide malicious information. Common methods include:

• In English environments: Using Hex Byte encoding
  Recommended tool: Hex Decoder
• In Chinese environments: Using NCR encoding or JavaScript encoding
  Recommended tool: R12a Unicode Conversion Tools

Random Malicious Payload Return Mechanism

As mentioned in Chapter 2, with third-party interface pollution, when requesting http://127.0.0.1:1024/random:

Each time, a page with a random malicious payload is returned, greatly increasing the difficulty of detection and traceability.

Conclusion

Through this practical demonstration of MasterMCP, we visually observed various security vulnerabilities hidden within the Model Context Protocol (MCP) system. From simple prompt injection, Cross-MCP calls, to more covert attacks during the initialization phase and hidden malicious instructions, each step serves as a reminder that while the MCP ecosystem is powerful, it is also fragile.

Especially today, when large models are increasingly interacting with external plugins and APIs, even a slight input contamination can trigger system-level security risks. The diversification of attack methods (such as encoded hiding, random pollution, and function overwriting) also means that traditional defense strategies need to be comprehensively upgraded.

Security is never achieved overnight.

We hope this demonstration serves as a wake-up call: whether you are a developer or a user, you should maintain enough vigilance toward the MCP system, paying close attention to every interaction, every line of code, and every returned value. Only by being meticulous in every detail can we truly build a solid and secure MCP environment.

Moving forward, we will continue to refine the MasterMCP script and open-source more targeted test cases to help everyone better understand, practice, and reinforce security in a safe environment.

Ps.
The related content has been synchronized to GitHub (https://github.com/slowmist/MasterMCP). Interested readers can click the link to view it.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.