mcp-guardian
Scans MCP tool descriptions for prompt injection attacks, including cross-tool instructions, privilege escalation, and data exfiltration patterns. It can be used as a CLI scanner or integrated as an MCP server itself.
README
mcp-guardian
MCP security scanner that detects prompt injection attacks in tool descriptions.
What It Detects
- Cross-tool instructions - Attempts to chain tool calls ("before using this tool", "first call", "you must execute")
- Privilege escalation - Attempts to override safety ("ignore previous instructions", "you are now", "bypass security")
- Data exfiltration - Attempts to send data externally (URLs, "send to", "upload to")
- Stealth directives - Hidden instructions in descriptions
- Sensitive path access - References to ~/.ssh, ~/.aws, credentials, etc.
- Encoded content - Base64, unicode escapes, hex encoding (potential obfuscation)
Installation
npm install mcp-guardian
Usage
CLI - Scan MCP Config
# Auto-detect Claude Desktop config
npx mcp-guardian
# Explicit config path
npx mcp-guardian /path/to/claude_desktop_config.json
# JSON output
npx mcp-guardian --json
CLI - Run as MCP Server
npx mcp-guardian --mcp
Claude Desktop Integration
Add to your claude_desktop_config.json:
{
"mcpServers": {
"mcp-guardian": {
"command": "npx",
"args": ["-y", "mcp-guardian", "--mcp"]
}
}
}
Library Usage
import {
scanToolDescription,
scanToolDefinitions,
isDescriptionSafe,
verifyToolDefinitions,
} from "mcp-guardian";
// Scan a single tool description
const result = scanToolDescription("my_tool", "Tool description here");
if (result.status === "critical") {
console.error("Potential injection:", result.issues);
}
// Quick safety check
if (!isDescriptionSafe("Before using this tool, first call...")) {
console.warn("Suspicious description detected");
}
// Scan multiple tools
const tools = [
{ name: "tool1", description: "...", schema: {} },
{ name: "tool2", description: "...", schema: {} },
];
const serverResult = scanToolDefinitions(tools, "my-server");
// Tool pinning - detect changes
const pinResult = verifyToolDefinitions(tools);
if (pinResult.status === "changed") {
console.warn("Tool definitions changed:", pinResult.changedTools);
}
Demo
Try mcp-guardian instantly with built-in poisoned tool examples:
npx mcp-guardian demo
This scans hardcoded examples demonstrating real attack patterns ā no config file needed.
Expected output:
ā
filesystem (14 tools)
ā
memory (9 tools)
š“ suspicious-tool (4 tools)
āā add: sensitive_path (~/.ssh)
āā format_text: privilege_escalation ("You are now")
āā search_docs: exfiltration (evil URL), sensitive_path (~/.aws/credentials)
Summary:
š Total tools: 27
ā
Clean: 2
ā ļø Warning: 0
šØ Critical: 1
The poisoned server demonstrates real attack patterns from published security research. See examples/poisoned-server/README.md for details.
Detection Patterns
Critical Severity (38 patterns)
| Category | Examples |
|---|---|
| Cross-tool instruction | "before using this tool", "first call", "then execute", "always call" |
| Privilege escalation | "ignore previous instructions", "override system", "you are now" |
| Exfiltration | URLs, "send to", "post to", "forward to", "upload to" |
Warning Severity (13 patterns)
| Category | Examples |
|---|---|
| Sensitive paths | ~/.ssh, ~/.aws, /etc/passwd, .env, api_key |
| Encoded content | Base64 strings, unicode escapes, hex encoding |
Pre-commit Integration
Using pre-commit framework
Add to your .pre-commit-config.yaml:
repos:
- repo: https://github.com/alexandriashai/mcp-guardian
rev: v1.2.2
hooks:
- id: mcp-guardian
Using Husky
Add to .husky/pre-commit:
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
npx mcp-guardian --sync --quiet
Using Lefthook
Add to lefthook.yml:
pre-commit:
commands:
mcp-guardian:
glob: "claude_desktop_config.json"
run: npx mcp-guardian --sync {staged_files}
Tool Pinning
MCP Guardian includes tool definition pinning - SHA-256 hashing of tool definitions to detect tampering:
import { verifyToolDefinitions, approveAllTools } from "mcp-guardian";
// Verify tools against stored baseline
const result = verifyToolDefinitions(tools);
// Status: "created" | "verified" | "changed" | "error"
if (result.status === "changed") {
console.log("Modified tools:", result.changedTools);
console.log("New tools:", result.newTools);
console.log("Removed tools:", result.removedTools);
}
// Re-approve all tools (after review)
approveAllTools(tools);
Manifests are stored in ~/.mcp-guardian/tool-manifest.json.
Research References
This tool is informed by MCP security research from:
- Invariant Labs - MCP Security Research
- Microsoft - Prompt Injection Attacks
- Palo Alto Unit 42 - AI Security
- Simon Willison - Prompt Injection
License
MIT
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.