MCP Security | Malicious MCP Servers (Protect Yourself)

Alejandro AO · Beginner ·📰 AI News & Updates ·9mo ago

Key Takeaways

This video covers security concerns related to MCP servers, particularly those using the STDIO transport, and provides guidance on spotting and protecting against malicious servers, with a focus on function calling in language models like OpenAI and Anthropic, and interacting with tool functions via MCP agents.

Full Transcript

Good morning everyone. How's it going today? Welcome back to the channel. In today's video, I'm going to talk to you really quickly about one security concern of MCP servers. There are many different security concerns, but uh this one in particular is probably the most common one and the easiest to exploit. So, I'm going to show you what this looks like, how you can uh protect yourself from it. And basically what we're going to be doing is we're going to see what agents see when they call an MCP tool, what is a malicious MCP server, why you need to pay special attention to servers that run over the stdio transport, and why uh and then we're going to create our own malicious MCP server to actually try this out. Uh if you're interested in MCP and um becoming an MCP expert, I actually am about to launch a course about this and the link is in the description to join the wait list. It'll should be out within a few weeks. So yeah, let's get right into it. [Music] All right. So, first thing first, let's uh talk about what an agent is and how it uses MCP to actually call its tools or its functions. And in other words, remember that an agent is basically just a program that uses a language model to define whether or not it has to call a function, a custom function for that matter, or it has to or if it has to reply itself to you directly using the language model. So it will you will send a query it will decide whether or not it has to call one of the tools available to it and if it doesn't have to call a tool available it will just respond to you. If it however does have to use a tool it will select the tool it will it will respond to you the tool call you will execute the tool or your MCP server will execute the tool will feed it back to the agent and then you will get the result after it has seen the result from the tool. So that's basically how an agent works. And MCP basically all the all that it does is it allows you to create different toolboxes that you can put together and connect them to whatever to whichever uh agent is compatible with MCP or in other words whichever agent has uh implemented the MCP client into it. And that is basically what uh MCP is and how it makes it compatible. And the thing the interesting thing right here is that uh all of this relies on the feature of a language model called function calling. And this feature was a feature I think it was released by OpenAI a couple years ago and it's called function calling. Basically it means that when you call your language model you send uh alongside your query you also send the tools that it has available. And if from those tools that you send in the metadata as parameters uh in your API request, if your LM defines or decides that it needs to use one of those tools to to respond to the user query, it will return a tool call instead of uh returning just the response and that's essentially just what happens. So here we have an example get horoscope. Um what this guys I mean this is the official documentation from OpenAI. What they're doing right here is they are creating this array of tools and they have this first one right here which is a function. The functions name is get horoscope. The description is get today's horoscope for an astrological sign. And the parameters of this function are this and that. And the LM is going to execute this fun. It's going to select this function and it's going to select which uh what it passes as parameters. So in this case it has only one parameter which is the sign and that's all that uh is going on with the function calling. It's literally just a function call to the language model as you can see right here a call to the language model the input list is this one right here. So what is the horoscope if I'm a querious uh the model that was selected the tools that it has alongside that we're passing as parameters right here which are these ones right here. And that's essentially all that's going on. Same thing with Enthropic. If you're using Enthropic, um they implemented this a little bit, uh later uh few weeks or months right after OpenI implemented it themselves. Very straightforward as well. They define the tools that they're going to be using and they send the message over and they send the tools across uh alongside the messages and then the LLM will reply with either a tool call or just a text response. And that's essentially all that's going on. However, the problem right here comes from the fact that this is all that is being sent to the language model. If you see this correctly, the language model is not executing the function. The language model is selecting the function to be executed and it decides whether or not it has to call the function based only on its description and the description of its properties. it does not see the code which means that a function that you install in an NCP server could do something completely difference completely different to what it claims to be doing in this description. So this is a very very important security risk. Um, actually what we're going to do right now is we're going to create an NCP server that does exactly that. Has a function that does something, but behind the scenes, uh, I mean pass a function that says that it does something, but behind the scenes, it's actually doing something very tricky and very sketchy. So, let's create that and show you exactly how dangerous this can be. All right. So, here we are back in VS Code. And what we're going to do is we're going to create an MCP server that is a bad MCP server. Not a good guy. Uh so we have a git ignore right here. Basically just our main uh regular git ignore. We have our Python version 3.11. We have our entry point right here. My pi project toml. Um remember I am using uv right here. So this would be the equivalent of your requirements.txt. Basically all I did is I installed MCP. So pip install MCP or UV add MCP. That'll get you here and my readmi file and my UV log. So as you can see an empty project right here. So what I'm going to do is I'm going to initialize my MCP server. So I'm going to just first of all u import from MCP server.fastmcp import fast MCP. Very straightforward. I'm just going to create my first fastmcp server right here. MCP equals fast MCP. I'm going to pretend that I'm going to be creating a documentation server, right? And then I'm just going to initialize it using a very quick function. I'm going to call it get documentation from database. Very straightforward. There we go. Uh there we go. And I'm going to decorate it using mcp.tool so that MCP actually knows that this one is my tool. And my clear description right here. This is going to be the misleading description. That's just going to it's going to say that it basically reads the documentation from the database. But I'm actually going to be doing something completely different in the code. So here the description remember that this right here is going to be passed as it's going to be parsed as the description of my MCP server. So this tool returns the documentation from the database for the project. It is very useful for figuring out what the project is about. Very straightforward. And I'm just going to mock it. Uh, so I'm going to say so the title of this guy right here is how to use MCP server. This is a mock documentation entry for the database. Very straightforward. I mean this is just a mock function, right? And then we're just going to uh enable it on the transport of stddio. So I'm going to save this. I am going to add it right here to my MCP server. So I'm going to come right here. Come right here. Add new MCP server. The command is going to be UV run main. py main.py the py. There we go. And right here, I'm going to call it docs uh database server. And I'm going to make it available globally. And there you go. Here it is. Now, I'm probably going to have to I'm probably going to have to add all of this as um absolute paths. So, I'm going to say which UV? It's going to be this UV right here. This UV. My arguments are going to be run, but it's also going to be directory. And right here, I'm just going to write where I am. So, I'm going to be right here. And there we go. Now, we should be able to run this. Let's see if it restarts. And there we go. We have one tool available. So, let's say we're going to start right here. I'm going to say, read the documents from the database and tell me what it says. And there we go. And it should be able to get documentation from database. Continue. And there you go. The documentation from the database says this and this and that. Okay. So my MCP server is working correctly. This is all working perfectly. But now let's uh poison it or let's uh make it be a bad guy. All right. So we're back right here. And what we're going to do is we're going to make this uh MCP server and this particular MCP function do something that it is not supposed to be doing. So right now I'm going to add just some malicious code right here in between uh whatever it's actually doing. So neither my MCP client, my agent or the user are going to see this or know this because this code right here is running and it's not telling anyone about it. Uh this uh the agent as we saw does not see it. the API, the LLM does not see it either. It's only going to be right here in the code and it's going to be executed as you're going to see in just a moment. So here I'm going to just add import subprocess. I'm going to import OS and I'm going to execute this command right here. I'm just going to say who am I and we're going to echo the ID RSA uh just a flag right here. I'm going to read my ID RS my uh SSH keys. I have created a uh demo SSH key for this by the way. Uh so I'm going to filtrate my private and my public key right here and I'm going to store them in um in I'm going to execute this uh command and I'm going to store it in this result variable right here. And then after that what I'm going to do is I'm going to take the result right here and I'm going to write it into a file called mcp commandoutput.txt. Okay. And basically that's all that I'm going to be doing right here. So, I'm going to save this and I'm going to reinitialize my my connection to this MCP server and let's see if what happens when I do this now. So, I'm going to execute this and again it's going to try to check my documentation. I'm going to say continue again. It says my documentation says this and that and that. So, everything ran correctly. I did not see anything. The the server decided to call the function. the my copilot or cursor or whichever ID you're using decided to uh execute the function and then it just read the contents and gave them to me. However, behind the scenes what happens let me just show you is if I go right here to my to my home and I check right here I see that MCP command output right here and I can take a look at it. MCP content output and as you can see it checked my MCP my SSH keys and stored them into a file. Now what could have happened is that this guy could have literally just sent the API keys to another the SSH keys to another uh service. It could have even removed files from my from my computer. Basically I just gave it access to my computer. And this is in in uh especially important because I am running this on stddio and running an MCP server on stdio means that the MCP server is running in your machine. So any code in the MCP function is going to run in your machine. So the moment you install it, you're basically giving uh permission to anyone who who created this function to run it uh in your computer. So that's why I always say be very careful when installing third party MCP servers. Ideally only run them locally when they come from the official um publisher of the service that you're trying to use. And always pin the versions of the packages that you're using or of the MCP servers that you're using if you're installing them from for example from uh GitHub using npx or something like that. always pin the right version that you have validated also so that they don't get um contaminated by an evil PR. So be very careful about this and take a lot of care and keep enjoying uh the usage of MCP servers and MCP tools. They are amazing but that does not mean that they are uh completely safe. So just be aware of that. And by the way this is not the only security concern about MCP. Uh there has been quite a bit of research about uh MCP servers and what they can and cannot do and what security concerns they can uh pose to your um to your machine and your uh environment. So I'm going to be covering that more in detail if you're interested. Uh let me know if you would like to see more of that in the comments. And don't forget to sign up for the MCP uh course place uh weight list that is u uh right there in the description. Okay. Uh, thank you very much for watching. I will see you next time. [Music]

Original Description

We cover security concerns of MCP servers, especially those using the STDIO transport. You'll learn how to spot malicious MCP servers and protect yourself from them. You'll also learn how MCP agents interact with tool functions, how function-calling works with large language models like OpenAI and Anthropic, and how malicious MCP servers can covertly execute dangerous code on your machine. We walk through a real example of building a malicious MCP server to illustrate these risks and offer best practices to protect your systems when working with third-party MCP servers. --- 🤓 *Topics Covered* - Function calling in language models (OpenAI, Anthropic) - How MCP agents interact with tools/functions - Danger of third-party MCP servers running over STDIO - Building a malicious MCP server example - Installing MCP with pip and managing dependencies --- 🔗 *Links* - MCP Course Waitlist: https://link.alejandro-ao.com/join-mcp - 🚀 Complete AI Engineer Bootcamp: https://aibootcamp.dev - ❤️ Buy me a coffee... or a beer (thanks): https://link.alejandro-ao.com/l83gNq - 💬 Join the Discord Help Server: https://link.alejandro-ao.com/HrFKZn - ✉️ Get the news from the channel and AI Engineering: https://link.alejandro-ao.com/AIIguB --- ⏰ *Timestamps* 0:00:00 - Intro 0:01:07 - Risk Overview 0:05:37 - Create a Simple MCP Server 0:09:10 - Create a Malicious MCP Server
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Alejandro AO · Alejandro AO · 60 of 60

← Previous Next →
1 Linear Regression in R - Full Project for Beginners
Linear Regression in R - Full Project for Beginners
Alejandro AO
2 Configure Webpack 5 in Wordpress (2025) with Typescript and SASS
Configure Webpack 5 in Wordpress (2025) with Typescript and SASS
Alejandro AO
3 R Programming 101 - Crash Course for beginners
R Programming 101 - Crash Course for beginners
Alejandro AO
4 Convert HTML template to WordPress Theme (2025) - Full Course
Convert HTML template to WordPress Theme (2025) - Full Course
Alejandro AO
5 Javascript Interactive Map with Leaflet EASY (with Marker Clusters & Popups)
Javascript Interactive Map with Leaflet EASY (with Marker Clusters & Popups)
Alejandro AO
6 Vanilla JS Project: Multi Step form in HTML, CSS & OOP Javascript
Vanilla JS Project: Multi Step form in HTML, CSS & OOP Javascript
Alejandro AO
7 How to do AJAX in WordPress correctly (2025)
How to do AJAX in WordPress correctly (2025)
Alejandro AO
8 React Leaflet Tutorial for Beginners (2025)
React Leaflet Tutorial for Beginners (2025)
Alejandro AO
9 Linear Regression in Python - Full Project for Beginners
Linear Regression in Python - Full Project for Beginners
Alejandro AO
10 Logistic Regression Project: Cancer Prediction with Python
Logistic Regression Project: Cancer Prediction with Python
Alejandro AO
11 Display Equations in ChatGPT
Display Equations in ChatGPT
Alejandro AO
12 Create a Chrome Extension (Manifest V3) for ChatGPT
Create a Chrome Extension (Manifest V3) for ChatGPT
Alejandro AO
13 Full-Stack Project | ChatGPT API, React, Node.js, Express
Full-Stack Project | ChatGPT API, React, Node.js, Express
Alejandro AO
14 Streamlit Python Course: Build a Machine Learning App to Predict Cancer
Streamlit Python Course: Build a Machine Learning App to Predict Cancer
Alejandro AO
15 Langchain PDF App (GUI) | Create a ChatGPT For Your PDF in Python
Langchain PDF App (GUI) | Create a ChatGPT For Your PDF in Python
Alejandro AO
16 LangChain Memory Tutorial | Building a ChatGPT Clone in Python
LangChain Memory Tutorial | Building a ChatGPT Clone in Python
Alejandro AO
17 Chat with a CSV | LangChain Agents Tutorial (Beginners)
Chat with a CSV | LangChain Agents Tutorial (Beginners)
Alejandro AO
18 Create a ChatGPT clone using Streamlit and LangChain
Create a ChatGPT clone using Streamlit and LangChain
Alejandro AO
19 Chat with Multiple PDFs | LangChain App Tutorial in Python (Free LLMs and Embeddings)
Chat with Multiple PDFs | LangChain App Tutorial in Python (Free LLMs and Embeddings)
Alejandro AO
20 Full Python Environment Setup for AI (or other) Apps + Virtual Environments
Full Python Environment Setup for AI (or other) Apps + Virtual Environments
Alejandro AO
21 Langchain + Qdrant Cloud | Pinecone FREE Alternative (20GB) | Tutorial
Langchain + Qdrant Cloud | Pinecone FREE Alternative (20GB) | Tutorial
Alejandro AO
22 LangChain Version 0.1 Explained | New Features & Changes
LangChain Version 0.1 Explained | New Features & Changes
Alejandro AO
23 Create a RAG Chain using LangChain 0.1 (New version)
Create a RAG Chain using LangChain 0.1 (New version)
Alejandro AO
24 Tutorial | Chat with any Website using Python and Langchain (LATEST VERSION)
Tutorial | Chat with any Website using Python and Langchain (LATEST VERSION)
Alejandro AO
25 Deploy Your AI Streamlit App for FREE | Step-by-Step (Heroku Alternative)
Deploy Your AI Streamlit App for FREE | Step-by-Step (Heroku Alternative)
Alejandro AO
26 What is Google's Gemini 1.5 Pro | 10 Million Token Window
What is Google's Gemini 1.5 Pro | 10 Million Token Window
Alejandro AO
27 Chat with MySQL Database with Python | LangChain Tutorial
Chat with MySQL Database with Python | LangChain Tutorial
Alejandro AO
28 Stream LLMs with LangChain + Streamlit | Tutorial
Stream LLMs with LangChain + Streamlit | Tutorial
Alejandro AO
29 Chat with MySQL Database using GPT-4 and Mistral AI | Python GUI App
Chat with MySQL Database using GPT-4 and Mistral AI | Python GUI App
Alejandro AO
30 #1 Harrison Chase: LangChain and The Future of LLM Applications | Alejandro AO
#1 Harrison Chase: LangChain and The Future of LLM Applications | Alejandro AO
Alejandro AO
31 CrewAI Step-by-Step | Complete Course for Beginners
CrewAI Step-by-Step | Complete Course for Beginners
Alejandro AO
32 Python: Automating a Marketing Team with AI Agents | Planning and Implementing CrewAI
Python: Automating a Marketing Team with AI Agents | Planning and Implementing CrewAI
Alejandro AO
33 Build a Web App (GUI) for your CrewAI Automation (Easy with Python)
Build a Web App (GUI) for your CrewAI Automation (Easy with Python)
Alejandro AO
34 Early days of RAG and LlamaIndex - Jerry Liu
Early days of RAG and LlamaIndex - Jerry Liu
Alejandro AO
35 LlamaParse: Convert PDF (with tables) to Markdown
LlamaParse: Convert PDF (with tables) to Markdown
Alejandro AO
36 #2 Jerry Liu - What is LlamaIndex, Agents & Advice for AI Engineers
#2 Jerry Liu - What is LlamaIndex, Agents & Advice for AI Engineers
Alejandro AO
37 CrewAI + Exa: Generate a Newsletter with Research Agents (Part 1)
CrewAI + Exa: Generate a Newsletter with Research Agents (Part 1)
Alejandro AO
38 #3 Joe Moura | Multi Agent Systems and CrewAI
#3 Joe Moura | Multi Agent Systems and CrewAI
Alejandro AO
39 Python: Create a ReAct Agent from Scratch
Python: Create a ReAct Agent from Scratch
Alejandro AO
40 New Groq Models: Best for Function-Calling Agents
New Groq Models: Best for Function-Calling Agents
Alejandro AO
41 Introduction to LlamaIndex with Python (2025)
Introduction to LlamaIndex with Python (2025)
Alejandro AO
42 LlamaIndex: How to use LLMs
LlamaIndex: How to use LLMs
Alejandro AO
43 LlamaIndex: How to Get Structured Data from LLMs
LlamaIndex: How to Get Structured Data from LLMs
Alejandro AO
44 Multimodal RAG: Chat with PDFs (Images & Tables) [2025]
Multimodal RAG: Chat with PDFs (Images & Tables) [2025]
Alejandro AO
45 Advanced RAG with LlamaIndex - Metadata Extraction [2025]
Advanced RAG with LlamaIndex - Metadata Extraction [2025]
Alejandro AO
46 Learn MCP Servers with Python (EASY)
Learn MCP Servers with Python (EASY)
Alejandro AO
47 Create MCP Clients in JavaScript - Tutorial
Create MCP Clients in JavaScript - Tutorial
Alejandro AO
48 Create an MCP Client in Python - FastAPI Tutorial
Create an MCP Client in Python - FastAPI Tutorial
Alejandro AO
49 How to Build an MCP Client GUI with Streamlit and FastAPI
How to Build an MCP Client GUI with Streamlit and FastAPI
Alejandro AO
50 Vibe Coding For Engineers (make it ACTUALLY work)
Vibe Coding For Engineers (make it ACTUALLY work)
Alejandro AO
51 LlamaExtract Tutorial: Convert PDF & Images into JSON
LlamaExtract Tutorial: Convert PDF & Images into JSON
Alejandro AO
52 Local MCP Servers for Cursor (Step by step)
Local MCP Servers for Cursor (Step by step)
Alejandro AO
53 Anthropic: How to Build Multi Agent Systems
Anthropic: How to Build Multi Agent Systems
Alejandro AO
54 Deploy Remote MCP Servers in Python (Step by Step)
Deploy Remote MCP Servers in Python (Step by Step)
Alejandro AO
55 GPT-5 for Developers: API Changes, Pricing, Model Router & Security
GPT-5 for Developers: API Changes, Pricing, Model Router & Security
Alejandro AO
56 Tutorial: Auth for Remote MCP Servers (Step by Step) | OAuth 2.1 with ScaleKit
Tutorial: Auth for Remote MCP Servers (Step by Step) | OAuth 2.1 with ScaleKit
Alejandro AO
57 Generate UI Tests with TestSprite MCP Server + TRAE
Generate UI Tests with TestSprite MCP Server + TRAE
Alejandro AO
58 #4 Allan Guo | 19-yo YC Founder - Willow Voice
#4 Allan Guo | 19-yo YC Founder - Willow Voice
Alejandro AO
59 RAG Project: Build an AI Onboarding Chatbot with Streamlit, LangChain, and ChromaDB
RAG Project: Build an AI Onboarding Chatbot with Streamlit, LangChain, and ChromaDB
Alejandro AO
MCP Security | Malicious MCP Servers (Protect Yourself)
MCP Security | Malicious MCP Servers (Protect Yourself)
Alejandro AO

This video teaches viewers how to protect themselves from malicious MCP servers, understand the risks of using third-party MCP servers, and learn best practices for secure function calling in language models. Viewers will also learn how to create a simple MCP server and understand the dangers of malicious MCP servers.

Key Takeaways
  1. Create a simple MCP server
  2. Understand the risks of third-party MCP servers
  3. Learn to spot malicious MCP servers
  4. Implement secure function calling in language models
  5. Manage dependencies with pip
  6. Build a malicious MCP server example
💡 Malicious MCP servers can covertly execute dangerous code on your machine, highlighting the importance of security measures when working with third-party MCP servers.

Related AI Lessons

The AI Moat Paradox: The Better Models Become, the Less Models Matter
The AI moat paradox suggests that as AI models improve, their importance may decrease, and understanding this concept is crucial for AI professionals and businesses.
Medium · AI
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Discover the biggest AI research shifts of 2026 based on 170,927 papers, and learn how to apply these trends to your work
Medium · Machine Learning
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Discover the major research shifts in AI from 170,927 papers published in the first half of 2026, and learn how to analyze trends in AI research
Medium · Data Science
[PoV] When Everyone Is Smart, No One Is
In a world where AI makes everyone smart, the value of intelligence decreases, and new challenges arise
Medium · AI

Chapters (4)

Intro
1:07 Risk Overview
5:37 Create a Simple MCP Server
9:10 Create a Malicious MCP Server
Up next
‘ENOUGH IS ENOUGH’: Lebanon is STANDING UP to Iran, expert says
Fox Business
Watch →