This example is a tiny deterministic MCP server that intentionally exposes risky tools.
It exists for:
- local manual checks with
mcp-scorecard scan - future README screenshots and examples
- stable scanner tests that should always produce the same findings
The tool surface is intentionally problematic:
exec_command: arbitrary shell executionwrite_file: filesystem write accessdo_it: vague, low-quality descriptiondebug_payload: excessively weak input schema with open-ended arbitrary payload
From the repository root:
python examples/insecure-server/server.pyScan it with MCP Scorecard:
mcp-scorecard scan --cmd python examples/insecure-server/server.pyWith the local virtual environment:
python -m venv .venv
source .venv/bin/activate
pip install -e .[dev]
mcp-scorecard scan --cmd python examples/insecure-server/server.pyWindows (PowerShell)
.\.venv\Scripts\mcp-scorecard scan --cmd .\.venv\Scripts\python examples\insecure-server\server.pySample launch artifacts generated from this server:
sample-reports/insecure-server.report.jsonsample-reports/insecure-server.report.sarifsample-reports/insecure-server.terminal.md
This example should reliably trigger findings such as:
- dangerous shell execution capability
- filesystem write capability
- vague or low-signal metadata
- underconstrained input schema
- missing scope hint for filesystem mutation
- This server is intentionally insecure and should not be used outside demos/tests.
- It implements only the minimal MCP handshake needed for local discovery.