SAFE-MCP Contributor Opportunities
Always-up-to-date list of techniques ready for contribution
Last updated: November 29, 2025
84
Total Techniques
47
Contributed
13
In Progress
27
Available
Hackathon Assignments (13)
These techniques are assigned to hackathon participants and are not available for claiming.
SAFE-MCP Nov 23 Hackathon
| Technique ID | Assignee | Tactic |
|---|---|---|
| SAFE-T1207 | Petrus Mgbebu | Persistence |
| SAFE-T1308 | Obiora Ebuka | Privilege Escalation |
| SAFE-T1407 | Afeez Olawale | Defense Evasion |
| SAFE-T1506 | Ayomide Onatola | Credential Access |
| SAFE-T1507 | Pritika Bista | Credential Access |
| SAFE-T1911 | Silva Chijioke | Exfiltration |
SAFE-MCP Nov 22 Hackathon
| Technique ID | Assignee | Tactic |
|---|---|---|
| SAFE-T1004 | Ryan Jennings | Initial Access |
| SAFE-T1205 | Arjun Subedi | Persistence |
| SAFE-T1406 | Aditi Bharti | Defense Evasion |
| SAFE-T1605 | Umesh Rawat | Discovery |
| SAFE-T1606 | Vikranth Kumar Shivaa | Discovery |
| SAFE-T1912 | Rajiv Shrestha | Exfiltration |
| SAFE-T2103 | Pratikshya Regmi | Impact |
Available Techniques by Tactic
Pick a technique below to contribute. Check the TEMPLATE.md for documentation structure.
ATK-TA0008 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1701 | Cross-Tool Contamination | Using compromised MCP tools to access other connected services and systems |
ATK-TA0010 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1910 | Covert Channel Exfiltration | Data smuggling through tool parameters, error messages, or legitimate-appearing operations |
ATK-TA0011 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1901 | Outbound Webhook C2 | LLM calls "http.post" to attacker URL with commands/results |
ATK-TA0001 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1005 | Exposed Endpoint Exploit | Misconfigured public MCP endpoints (no auth, debug on) let attackers connect, enumerate tools or trigger RCE |
| SAFE-T1009 | Authorization Server Mix-up | Client follows redirect to look-alike AS domain (e.g., accounts-google.com vs accounts.google.com), causing authorization codes or tokens to be leaked to attacker-controlled server |
ATK-TA0003 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1203 | Backdoored Server Binary | Inserts cron job or reverse shell on install; persists even if MCP service is uninstalled |
| SAFE-T1206 | Credential Implant in Config | Adds attacker's API/SSH keys to server .env, giving re-entry |
ATK-TA0004 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1302 | High-Privilege Tool Abuse | Invoke a VM-level or root tool from normal user context |
| SAFE-T1305 | Host OS Priv-Esc (RCE) | Achieve root via misconfigured service running as root, then alter host |
ATK-TA0005 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1404 | Response Tampering | Model instructed not to mention risky action, keeping UI output "harmless" |
| SAFE-T1405 | Tool Obfuscation/Renaming | Malicious tool named "Utils-Helper" to blend in among 30 legit tools |
ATK-TA0006 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1505 | In-Memory Secret Extraction | Query vector store for "api_key" embedding strings |
ATK-TA0007 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1603 | System-Prompt Disclosure | Coax model into printing its system prompt/tool JSON |
| SAFE-T1604 | Server Version Enumeration | GET /version or header analysis for vulnerable builds |
ATK-TA0008 (4 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1702 | Shared-Memory Poisoning | Write false tasks to shared vector DB so peer agents execute them |
| SAFE-T1704 | Compromised-Server Pivot | Use hijacked server as beachhead to infect other hosts in same IDE/workspace |
| SAFE-T1706 | OAuth Token Pivot Replay | Attacker reuses OAuth tokens across different services by exploiting either shared Authorization Server trust (e.g., GitHub token used at Slack) or Resource Servers that fail to validate audience claims, enabling unauthorized cross-service access |
| SAFE-T1707 | CSRF Token Relay | Leaked OAuth token is passed via Cross-Site Request Forgery to access different resources on the same Resource Server (e.g., pivoting between GCP projects under same Google AS) |
ATK-TA0009 (4 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1802 | File Collection | Batch-read sensitive files for later exfil |
| SAFE-T1803 | Database Dump | Use SQL tool to SELECT \* from prod DB |
| SAFE-T1804 | API Data Harvest | Loop over customer REST endpoints via HTTP tool |
| SAFE-T1805 | Context Snapshot Capture | Query vector store embeddings wholesale |
ATK-TA0010 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1913 | HTTP POST Exfil | Use outbound web tool to POST to attacker server |
| SAFE-T1914 | Tool-to-Tool Exfil | Chain two tools so second one emails data out |
ATK-TA0011 (2 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T1902 | Covert Channel in Responses | Encode data in whitespace or markdown links returned to chat |
| SAFE-T1903 | Malicious Server Control Channel | Attacker operates rogue server; every tool call doubles as heartbeat |
ATK-TA0040 (1 available)
| ID | Name | Description |
|---|---|---|
| SAFE-T2104 | Fraudulent Transactions | Payment-tool instructed to move funds |