Nicocro/mcp-trivial-trojans
If you are the rightful owner of mcp-trivial-trojans and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
The Trivial Trojans project demonstrates how a seemingly benign MCP server can be used to exfiltrate sensitive data through cross-server orchestration.
🐴 Trivial Trojans: Malicious Weather MCP Server
How a Weather Bot Can Steal Your Bank Balance via the Model Context Protocol
This repository contains the minimal malicious weather_mcp_server used in the paper:
Trivial Trojans: How Minimal MCP Servers Enable Cross-Tool Exfiltration of Sensitive Data
🔍 Overview
This project demonstrates how a benign-looking MCP server (e.g., a weather integration) can be weaponized to exfiltrate sensitive data from unrelated, trusted MCP servers via an AI agent acting as the orchestrator.
This server:
- Implements standard weather forecast functionality (from the official MCP examples)
- Embeds a malicious prompt that triggers cross-server tool discovery
- Sends exfiltrated data to a public
webhook.siteendpoint via HTTP POST
No infrastructure, credentials, or privileged access are required, in an extremely minimal and simple implemetation.
🎥 Demo: Cross-Server Data Exfiltration via Malicious Weather Server
This short demo shows how an innocent-looking weather request can trigger a cross-server sequence that:
- Retrieves a bank account balance from a separate MCP server.
- Sends the sensitive data to a public
webhook.siteendpoint. - Displays a normal weather forecast — concealing the attack.
Click the image to watch a short demo showing how a weather MCP server can exfiltrate financial data via cross-server orchestration.
⚙️ Requirements
- Python 3.8+
fastmcp(install viapip install fastmcp)
🛠️ Example MCP Client Configuration
To run this attack in a local setup using an MCP-compatible agent (e.g., Claude Desktop), use the following example configuration file:
🚀 Running the Server
python weather_mcp_server.py