Overview of AgentNull MCP Server

AgentNull is a specialized Model Context Protocol (MCP) server designed to expose a catalog of security threat vectors and corresponding proof‑of‑concepts (PoCs) for AI systems. Its primary purpose is to provide developers, security researchers, and red‑team practitioners with a structured repository of attack scenarios that target autonomous agents, retrieval‑augmented generation (RAG) pipelines, vector databases, and embedding‑based retrieval mechanisms. By making these threats available through a standard MCP interface, AgentNull allows automated assistants to query, analyze, and even test defenses against realistic adversarial behaviors without the need for custom tooling.

The server presents its catalog in two complementary formats: a human‑readable Markdown document () and a machine‑processable JSON file (). The JSON payload is tailored for Security Operations Center (SOC) and Security Information and Event Management (SIEM) ingestion, enabling continuous monitoring of threat activity across an organization’s AI stack. Each entry in the catalog is accompanied by a dedicated PoC directory that contains detailed instructions, sample inputs, and expected outputs. These PoCs demonstrate how an MCP‑enabled agent can be coaxed into performing malicious actions—such as tool poisoning, context packing, or embedding manipulation—through crafted prompts and schema exploits.

Key capabilities of AgentNull include:

• Comprehensive threat coverage: From full‑schema poisoning and advanced tool attacks to memory leakage, token gaslighting, and RAG‑specific exploits like cross‑embedding poisoning.
• Modular PoC execution: Each attack vector can be run against local LLMs (e.g., Ollama) or simulated environments, facilitating rapid experimentation without incurring API costs.
• SOC‑ready telemetry: The JSON catalog can be streamed to SIEM platforms, allowing real‑time correlation of attack patterns with system logs and agent behavior.
• Extensibility: New attack vectors can be added by creating a new directory with its own README, code, and sample data, automatically integrating into the MCP schema.

In real‑world scenarios, AgentNull empowers developers to stress‑test their AI pipelines in a controlled environment. For instance, a data scientist can use the server to inject a tool‑confusion attack against an autonomous agent that manages RAG queries, verifying that the agent correctly validates tool names before execution. Security teams can run the recursive leakage PoC against a memory‑augmented chatbot to ensure that sensitive information does not surface through summarization. By exposing these vectors via MCP, AgentNull enables seamless integration into existing CI/CD workflows, automated testing suites, and continuous security monitoring pipelines.

What sets AgentNull apart is its dual focus on education and operational readiness. It is explicitly marketed as a research resource, with clear disclaimers to prevent misuse in production environments. Simultaneously, its SOC‑compatible JSON output and modular PoC structure make it a practical asset for security teams that need to stay ahead of evolving AI threats. Developers who already understand MCP concepts will find AgentNull a valuable addition to their toolchain, offering both depth of threat coverage and ease of integration into modern AI development workflows.