appsecco/pentesting-mcp-servers-checklist
A practical, community-driven checklist for pentesting MCP servers. Covers traffic analysis, tool-call behavior, namespace abuse, auth flows, and remote server risks. Maintained by Appsecco and licensed for remixing.
This checklist provides a structured guide for security professionals assessing the safety of Model Context Protocol (MCP) servers. It helps identify vulnerabilities across traffic, authentication, file systems, and tool interactions. Security testers and penetration testers working with AI agents and MCP-based systems will find this useful for systematic evaluations.
Use this if you are a security professional performing a penetration test or security assessment on a system that uses MCP servers or AI agents.
Not ideal if you are looking for an automated scanning tool or an academic paper on AI security theory.
Stars
27
Forks
4
Language
—
License
CC-BY-4.0
Category
Last pushed
Dec 18, 2025
Commits (30d)
0
Get this data via API
curl "https://pt-edge.onrender.com/api/v1/quality/mcp/appsecco/pentesting-mcp-servers-checklist"
Open to everyone — 100 requests/day, no key needed. Get a free key for 1,000/day.
Higher-rated alternatives
Wh0am123/MCP-Kali-Server
MCP configuration to connect AI agent to a Linux machine.
DMontgomery40/pentest-mcp
NOT for educational purposes: An MCP server for professional penetration testers including...
BurtTheCoder/mcp-shodan
MCP server for Shodan — search internet-connected devices, IP reconnaissance, DNS lookups, and...
cyproxio/mcp-for-security
MCP for Security: A collection of Model Context Protocol servers for popular security tools like...
0x4m4/hexstrike-ai
HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot,...