SAFE-MCP Contributor Opportunities
Always-up-to-date list of techniques ready for contribution
Last updated: January 20, 2026
85
Total Techniques
70
Contributed
13
In Progress
12
Available
Hackathon Assignments (13)
These techniques are assigned to hackathon participants and are not available for claiming.
SAFE-MCP Nov 23 Hackathon
| Technique ID | Assignee | Tactic |
|---|---|---|
| SAFE-T1207 | Petrus Mgbebu | Persistence |
| SAFE-T1308 | Obiora Ebuka | Privilege Escalation |
| SAFE-T1407 | Afeez Olawale | Defense Evasion |
| SAFE-T1506 | Ayomide Onatola | Credential Access |
| SAFE-T1507 | Pritika Bista | Credential Access |
| SAFE-T1911 | Silva Chijioke | Exfiltration |
SAFE-MCP Nov 22 Hackathon
| Technique ID | Assignee | Tactic |
|---|---|---|
| SAFE-T1004 | Ryan Jennings | Initial Access |
| SAFE-T1205 | Arjun Subedi | Persistence |
| SAFE-T1406 | Aditi Bharti | Defense Evasion |
| SAFE-T1605 | Umesh Rawat | Discovery |
| SAFE-T1606 | Vikranth Kumar Shivaa | Discovery |
| SAFE-T1912 | Rajiv Shrestha | Exfiltration |
| SAFE-T2103 | Pratikshya Regmi | Impact |
Available Techniques by Tactic
Pick a technique below to contribute. Check the TEMPLATE.md for documentation structure.
ATK-TA0011 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1901 | Outbound Webhook C2 | LLM calls "http.post" to attacker URL with commands/results |
ATK-TA0001 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1005 | Exposed Endpoint Exploit | Misconfigured public MCP endpoints (no auth, debug on) let attackers connect, enumerate tools or trigger RCE |
ATK-TA0003 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1206 | Credential Implant in Config | Adds attacker's API/SSH keys to server .env, giving re-entry |
ATK-TA0005 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1405 | Tool Obfuscation/Renaming | Malicious tool named "Utils-Helper" to blend in among 30 legit tools |
ATK-TA0007 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1604 | Server Version Enumeration | GET /version or header analysis for vulnerable builds |
ATK-TA0009 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1802 | File Collection | Batch-read sensitive files for later exfil |
| SAFE-T1805 | Context Snapshot Capture | Query vector store embeddings wholesale |
ATK-TA0010 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1913 | HTTP POST Exfil | Use outbound web tool to POST to attacker server |
| SAFE-T1914 | Tool-to-Tool Exfil | Chain two tools so second one emails data out |
ATK-TA0011 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1902 | Covert Channel in Responses | Encode data in whitespace or markdown links returned to chat |
| SAFE-T1903 | Malicious Server Control Channel | Attacker operates rogue server; every tool call doubles as heartbeat |
ATK-TA0040 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T2104 | Fraudulent Transactions | Payment-tool instructed to move funds |