mcp_Shield
The security runtime for MCP servers. Every tool call inspected. Every attack blocked. Every decision logged.
README
mcp-shield ๐ก๏ธ
The security runtime for MCP servers. Every tool call inspected. Every attack blocked. Every decision logged.
What is MCP?
Model Context Protocol (MCP) is an open standard that lets AI assistants (Claude, Cursor, Copilot) connect to external tools and services โ file systems, APIs, databases, browsers โ through MCP servers.
Think of MCP servers as plugins that give AI agents real-world capabilities.
The Problem
MCP servers run as trusted processes on your machine with broad access:
| Access | Risk |
|---|---|
| ๐๏ธ Filesystem | Read /etc/passwd, steal SSH keys |
| ๐ Network | SSRF to 169.254.169.254 (AWS metadata endpoint) |
| ๐ Environment variables | Steal API keys, tokens, secrets |
| โ๏ธ Shell | Execute arbitrary commands |
A malicious or compromised MCP server can silently exfiltrate your secrets, pivot to internal infrastructure, or execute code โ and you'd never know.
This is not theoretical. A real SSRF vulnerability was found in an MCP OAuth HTTP transport implementation that allowed exactly this class of attack.
How mcp-shield Fixes This
mcp-shield sits between your AI agent and the MCP server as a policy enforcement layer. Before any tool executes, mcp-shield evaluates it. If it's not explicitly allowed โ it's blocked.
AI Agent
โ
โผ
mcp-shield /inspect
โ
โโโ Tool allowlist check โ "read_secrets" not in allowlist โ ๐ซ BLOCK
โโโ Blocked pattern check โ "ssrf_fetch" is dangerous โ ๐ซ BLOCK
โโโ Argument scanning โ "169.254.169.254" in args โ ๐ซ BLOCK
โ (recursive, nested dicts)
โโโ Passed all checks โ โ
ALLOW โ MCP Server executes
โ
โผ
Audit Log (SQLite)
timestamp | server | tool | decision | reason
Install
pip install mcpshield-runtime
Or clone and run locally:
git clone https://github.com/srisowmya2000/mcp-shield
cd mcp-shield
python3 -m venv .venv && source .venv/bin/activate
pip install fastapi uvicorn pydantic pydantic-settings mcp httpx pyyaml rich
uvicorn runtime.api.main:app --reload
Open:
- API docs โ http://localhost:8000/docs
- Live dashboard โ http://localhost:8000/dashboard
Live Demo
# Start mcp-shield
uvicorn runtime.api.main:app --reload
# ๐ซ Attempt secret theft โ BLOCKED
curl -X POST http://localhost:8000/inspect \
-H "Content-Type: application/json" \
-d '{"server_name":"evil","policy":"default","tool_call":{"tool_name":"read_secrets","arguments":{}}}'
# โ {"decision":"BLOCK","reason":"Tool 'read_secrets' is not in the allowed_tools list","blocked":true}
# ๐ซ Attempt SSRF to AWS metadata endpoint โ BLOCKED
curl -X POST http://localhost:8000/inspect \
-H "Content-Type: application/json" \
-d '{"server_name":"evil","policy":"default","tool_call":{"tool_name":"ssrf_fetch","arguments":{"url":"http://169.254.169.254/latest/meta-data/"}}}'
# โ {"decision":"BLOCK","reason":"Argument contains blocked pattern: '169.254.169.254'","blocked":true}
# โ
Safe tool โ ALLOWED
curl -X POST http://localhost:8000/inspect \
-H "Content-Type: application/json" \
-d '{"server_name":"safe","policy":"default","tool_call":{"tool_name":"safe_tool","arguments":{"name":"Sri"}}}'
# โ {"decision":"ALLOW","reason":"Passed all policy checks","blocked":false}
CLI
# Inspect a tool call
python3 -m runtime.cli inspect read_secrets
# โ ๐ซ BLOCKED โ Tool 'read_secrets' is not in the allowed_tools list
python3 -m runtime.cli inspect safe_tool
# โ โ
ALLOWED โ Passed all policy checks
# Score a server's risk level
python3 -m runtime.cli risk "read_secrets,ssrf_fetch,safe_tool"
# โ ๐ด HIGH RISK (score: 80)
# โ High-risk tools: ['read_secrets', 'ssrf_fetch']
# โ Do not run without strict policy. Use isolated network.
# View live audit log
python3 -m runtime.cli audit
# View stats
python3 -m runtime.cli stats
# โ Total: 6 | โ
Allowed: 2 | ๐ซ Blocked: 4 (67% block rate)
Policies
Drop a YAML file in policies/ and reference it by name in any /inspect call.
# policies/default.yaml
allowed_tools:
- safe_tool
- list_files
- get_time
block_network: true
block_env_access: true
blocked_arg_patterns:
- "169.254.169.254" # AWS metadata SSRF
- "169.254.170.2" # ECS metadata SSRF
- "localhost"
- "127.0.0.1"
- "/etc/passwd"
- "/etc/shadow"
- "file://"
- "gopher://"
max_memory_mb: 256
execution_timeout_seconds: 30
Switch policy per server:
POST /inspect โ { "policy": "strict", ... }
Two policies included: default and strict (zero-trust).
Features
| Feature | Description |
|---|---|
| ๐ Policy Engine | YAML allowlists + blocked patterns, per-server policies |
| ๐ Argument Scanning | Recursively scans nested args for SSRF, path traversal, dangerous patterns |
| ๐ Audit Logger | Every decision logged to SQLite โ timestamp, server, tool, reason |
| ๐ณ Docker Sandbox | Hardened containers: --cap-drop=ALL, --network=none, --read-only |
| ๐ฅ Firecracker Backend | microVM isolation โ each server gets its own Linux kernel (Linux/KVM only) |
| ๐ Risk Scorer | Scores MCP servers LOW / MEDIUM / HIGH based on tool capabilities |
| ๐ฅ๏ธ Live Dashboard | Real-time web UI at /dashboard โ live block/allow feed, flash animations |
| โก CLI | mcpshield inspect, audit, stats, risk with rich colored output |
API Reference
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Service health check |
/inspect |
POST | Evaluate tool call โ ALLOW / BLOCK |
/audit |
GET | Recent audit log entries |
/audit/stats |
GET | Total / allowed / blocked counts |
/risk/score |
POST | Score server risk by tool list |
/sandbox/launch |
POST | Launch MCP server in hardened Docker container |
/sandbox/stop/{name} |
POST | Stop a running sandbox |
/sandbox/list |
GET | List running sandboxes |
/dashboard |
GET | Live real-time decision dashboard |
/docs |
GET | Interactive Swagger API docs |
Docker Sandbox
Every MCP server launched via mcp-shield runs with:
--cap-drop=ALL no Linux capabilities
--no-new-privileges no privilege escalation
--read-only immutable filesystem
--network=none no network access
--memory=256m memory limit
--cpus=0.5 CPU limit
--pids-limit=64 process limit
--tmpfs=/tmp ephemeral tmp only
Firecracker microVM Backend
For stronger isolation, mcp-shield supports Firecracker microVMs โ each MCP server gets its own Linux kernel. A kernel exploit inside the VM cannot reach the host.
Docker: shared kernel โ kernel exploit = host at risk
Firecracker: own kernel โ kernel exploit = contained in VM
Requires Linux with KVM. See docs/firecracker-setup.md.
Architecture
mcp-shield/
โโโ runtime/
โ โโโ api/
โ โ โโโ main.py # FastAPI โ all endpoints
โ โโโ policy_engine.py # YAML policy loader + evaluator
โ โโโ audit_logger.py # SQLite decision log
โ โโโ risk_scorer.py # LOW/MEDIUM/HIGH risk scoring
โ โโโ cli.py # Typer CLI
โ โโโ models.py # Pydantic schemas
โ โโโ sandbox/
โ โโโ base.py # Abstract backend interface
โ โโโ docker_backend.py # Hardened Docker sandbox
โ โโโ firecracker_backend.py # microVM backend (Linux/KVM)
โโโ policies/
โ โโโ default.yaml
โ โโโ strict.yaml
โโโ examples/
โ โโโ malicious_mcp_server/ # Demo attacker (SSRF + secret theft + exec)
โ โโโ safe_mcp_server/ # Demo benign server
โโโ docs/
โ โโโ threat-model.md # Attack scenarios + limitations
โ โโโ firecracker-setup.md # Firecracker setup guide
โโโ tests/ # 12 tests โ all passing
Tests
pip install pytest
pytest tests/ -v
# 12 passed in 0.11s
Covers: tool allowlist blocking, SSRF argument detection, nested arg scanning, strict policy enforcement, edge cases, unknown policy handling.
Threat Model
See docs/threat-model.md for:
- Attack scenarios (SSRF, secret theft, command execution, path traversal)
- What mcp-shield blocks vs what it doesn't
- Defense in depth recommendations
Roadmap
- [x] Policy engine (allowlist + pattern scanning)
- [x] Audit logger (SQLite)
- [x] FastAPI REST surface
- [x] Docker sandbox backend (hardened)
- [x] Demo malicious MCP server
- [x] Risk scorer (LOW / MEDIUM / HIGH)
- [x] CLI (
mcpshield inspect,audit,stats,risk) - [x] Real-time dashboard
- [x] Firecracker microVM backend
- [x] PyPI package (
pip install mcpshield-runtime) - [x] Threat model documentation
- [ ] Prompt injection detection
- [ ] Per-tool argument schema validation
- [ ] Webhook alerts on BLOCK events
License
MIT โ see LICENSE
Author
Sri Sowmya Nemani โ Security researcher & engineer. Bug bounty | MCP security | AI agent security
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.