Skip to content

deconvolute-labs/mcp-deconvolute-demo

BranchesTags

Repository files navigation

Live MCP Attack Scenarios

Python 3.13 License: Apache 2.0 uv Deconvolute

Runnable exploits against the Model Context Protocol and how to stop them in a few lines of code.

Each scenario is a deterministic local environment: run the attack, watch it succeed, then activate the Deconvolute firewall and watch it fail.

Scenarios

1. Rug Pull (Schema Tampering)

A compromised MCP server silently swaps a tool definition mid-session to steal your agent's API keys. Demonstrates how mcp_guard cryptographically seals tool definitions and enforces policy-as-code. Blog post

2. DNS Rebinding (SSRF via Transport Hijacking)

A malicious server flips its DNS record after the initial handshake, tricking the MCP client into firing payloads into your private internal network. Demonstrates how secure_sse_session pins network routing and blocks transport manipulation.

3. Agent Policy Enforcement and Observability (Issue Triage)

A GitHub issue triage agent in Claude Cowork attempts a tool call outside its declared policy. The Deconvolute proxy intercepts it, blocks it, and logs it in real time. Demonstrates policy-as-code enforcement at the MCP tool call surface and live observability via the enterprise platform dashboard. Requires Claude Desktop with Cowork enabled. Blog post

Setup

Prerequisites: Python 3.13, uv (recommended)

git clone https://github.com/deconvolute-labs/mcp-deconvolute-demo.git
cd mcp-deconvolute-demo
uv sync
uv run dcv-demo setup # Seeds the local SQLite databases for the rug pull demo

Scenario 3 requires additional setup. See the Readme for details.

Deconvolute SDK

Each scenario in this repo runs in two modes: unprotected and protected. The protected mode uses the Deconvolute SDK, an open-source MCP security SDK that wraps your existing agent session and enforces runtime policy.

In the rug pull scenario it cryptographically seals tool definitions at discovery time, so any mid-session swap is caught before the LLM ever sees the modified schema. In the DNS rebinding scenario it pins the resolved IP address to the network socket at connection time, so DNS manipulation has no effect on where requests actually go. In the policy enforcement scenario it enforces argument-level policy via CEL conditions at the MCP tool call surface, blocking cross-scope tool calls before they reach the upstream server.

pip install deconvolute

Protect your own agents · Integration docs · deconvolutelabs.com

About

Live PoC: MCP attacks that compromise AI agents mid-session and how to block them in a few lines of code.

deconvolutelabs.com

Topics

python dns mcp cybersecurity ai-agents dns-rebinding ai-security security-demo llm prompt-injection llm-security rug-pull agentic-ai model-context-protocol mcp-security ai-agents-mcp tool-poisoning

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages