mcp-auth-exploitation
OfficialExploit MCP auth and OAuth DCR vulnerabilities.
Authordreadnode
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill addresses critical security gaps in MCP authorization implementations and OIDC Dynamic Client Registration (RFC 7591) flows that expose applications to SSRF, unauthorized client registration, and token abuse attacks in multi-agent systems.
Core Features & Use Cases
- MCP CIMD SSRF Testing: Exploit client_manifest_uri, logo_uri, and jwks_uri fields to trigger server-side outbound requests to internal or cloud metadata endpoints.
- OAuth DCR Abuse: Identify open or semi-open dynamic client registration endpoints to create rogue clients, steal authorization codes, and escalate token privileges.
- Confused Deputy Detection: Test multi-agent token delegation flows for missing scope reduction and audience binding to identify cross-service access bypasses.
- Use Case: Red teams testing MCP-enabled services, OAuth-secured multi-agent applications, and OIDC providers can use this Skill to map authorization attack surfaces and validate exploitability of registration and token delegation flaws.
Quick Start
Use the mcp-auth-exploitation skill to test your target's MCP authorization endpoint for SSRF via client_manifest_uri and verify if the dynamic client registration endpoint permits unauthenticated rogue client creation.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: mcp-auth-exploitation Download link: https://github.com/dreadnode/capabilities/archive/main.zip#mcp-auth-exploitation Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.