Cybersecurity Analysts Discuss Risks of Malicious Model Context Protocol Servers at Cactus Con

The video features a discussion between cybersecurity analysts at Cactus Con about the security risks of Malicious Model Context Protocol (MCP) servers, which act as wrappers around backend APIs to help large language models (LLMs) interpret and execute functions. Key vulnerabilities highlighted include broken access control, prompt injection, and social engineering risks, with examples like a ServiceNow red teamer tricking an LLM into creating an admin account or GitHub accidentally exposing private code. The conversation emphasizes that MCP servers inherit traditional API security flaws—such as improper authorization and input validation—while introducing new attack vectors, like LLMs executing unintended actions due to ambiguous tool descriptions or multi-prompt injection. Tools like Fast MCP (Python framework), Anthropic’s API, and OpenClaw (an open-source LLM ecosystem) were mentioned, with OpenClaw criticized for its lack of security hardening and malicious "skills" on its package hub. The analysts argue that while prompt injection may never be fully eradicated, mitigation requires logical code controls (e.g., attribute-based access checks, MFA prompts for anomalies) and dynamic red-teaming using LLMs to test edge cases. The discussion also touches on the tension between rapid AI adoption and security, noting that companies often prioritize speed over hardening, leading to preventable breaches. Specific threats like malicious MCP servers exfiltrating data or attackers manipulating tool definitions were demonstrated, underscoring the need for layered defenses beyond traditional rule-based security.