Documentation
¶
Overview ¶
Filesystem Escape tests MCP filesystem/git sandbox escape vectors.
WARNING: These tests should only be run in isolated sandboxed environments (Docker/chroot), never against the host filesystem.
Source: Adversa AI
MCP Supply Chain attacks target malicious MCP server/package distribution.
Source: Practical DevSecOps, CVE-2025-6514 pattern
Sampling Injection exploits the MCP sampling API to inject prompts.
Source: Unit 42 MCP sampling research
Package mcp implements attacks targeting the Model Context Protocol.
MCP enables LLM agents to interact with external tools and data sources. These attacks exploit the trust relationship between agents and MCP servers through tool description manipulation, sampling API injection, supply chain attacks, and sandbox escapes.
Index ¶
- type FilesystemEscapeModule
- func (m *FilesystemEscapeModule) Category() common.AttackCategory
- func (m *FilesystemEscapeModule) Description() string
- func (m *FilesystemEscapeModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *FilesystemEscapeModule) Name() string
- func (m *FilesystemEscapeModule) Techniques() []common.TechniqueInfo
- type MCPSupplyChainModule
- func (m *MCPSupplyChainModule) Category() common.AttackCategory
- func (m *MCPSupplyChainModule) Description() string
- func (m *MCPSupplyChainModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *MCPSupplyChainModule) Name() string
- func (m *MCPSupplyChainModule) Techniques() []common.TechniqueInfo
- type SamplingInjectionModule
- func (m *SamplingInjectionModule) Category() common.AttackCategory
- func (m *SamplingInjectionModule) Description() string
- func (m *SamplingInjectionModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *SamplingInjectionModule) Name() string
- func (m *SamplingInjectionModule) Techniques() []common.TechniqueInfo
- type ToolPoisoningModule
- func (m *ToolPoisoningModule) Category() common.AttackCategory
- func (m *ToolPoisoningModule) Description() string
- func (m *ToolPoisoningModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *ToolPoisoningModule) Name() string
- func (m *ToolPoisoningModule) Techniques() []common.TechniqueInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type FilesystemEscapeModule ¶
type FilesystemEscapeModule struct{}
FilesystemEscapeModule implements MCP filesystem/git sandbox escapes.
func (*FilesystemEscapeModule) Category ¶
func (m *FilesystemEscapeModule) Category() common.AttackCategory
func (*FilesystemEscapeModule) Description ¶
func (m *FilesystemEscapeModule) Description() string
func (*FilesystemEscapeModule) Execute ¶
func (m *FilesystemEscapeModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*FilesystemEscapeModule) Name ¶
func (m *FilesystemEscapeModule) Name() string
func (*FilesystemEscapeModule) Techniques ¶
func (m *FilesystemEscapeModule) Techniques() []common.TechniqueInfo
type MCPSupplyChainModule ¶
type MCPSupplyChainModule struct{}
MCPSupplyChainModule implements malicious MCP server/package attacks.
func (*MCPSupplyChainModule) Category ¶
func (m *MCPSupplyChainModule) Category() common.AttackCategory
func (*MCPSupplyChainModule) Description ¶
func (m *MCPSupplyChainModule) Description() string
func (*MCPSupplyChainModule) Execute ¶
func (m *MCPSupplyChainModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*MCPSupplyChainModule) Name ¶
func (m *MCPSupplyChainModule) Name() string
func (*MCPSupplyChainModule) Techniques ¶
func (m *MCPSupplyChainModule) Techniques() []common.TechniqueInfo
type SamplingInjectionModule ¶
type SamplingInjectionModule struct{}
SamplingInjectionModule implements prompt injection via the MCP sampling API.
func (*SamplingInjectionModule) Category ¶
func (m *SamplingInjectionModule) Category() common.AttackCategory
func (*SamplingInjectionModule) Description ¶
func (m *SamplingInjectionModule) Description() string
func (*SamplingInjectionModule) Execute ¶
func (m *SamplingInjectionModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*SamplingInjectionModule) Name ¶
func (m *SamplingInjectionModule) Name() string
func (*SamplingInjectionModule) Techniques ¶
func (m *SamplingInjectionModule) Techniques() []common.TechniqueInfo
type ToolPoisoningModule ¶
type ToolPoisoningModule struct{}
ToolPoisoningModule manipulates MCP tool metadata/descriptions to cause LLM agents to invoke compromised tools.
Source: Palo Alto Unit 42
func (*ToolPoisoningModule) Category ¶
func (m *ToolPoisoningModule) Category() common.AttackCategory
func (*ToolPoisoningModule) Description ¶
func (m *ToolPoisoningModule) Description() string
func (*ToolPoisoningModule) Execute ¶
func (m *ToolPoisoningModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*ToolPoisoningModule) Name ¶
func (m *ToolPoisoningModule) Name() string
func (*ToolPoisoningModule) Techniques ¶
func (m *ToolPoisoningModule) Techniques() []common.TechniqueInfo