agents
Server Details
Pay-per-call safety guards for AI agents: injection, tool-call, signing, secret, x402-trust.
- Status
- Healthy
- Last Tested
- Transport
- Streamable HTTP
- URL
Glama MCP Gateway
Connect through Glama MCP Gateway for full control over tool access and complete visibility into every call.
Full call logging
Every tool call is logged with complete inputs and outputs, so you can debug issues and audit what your agents are doing.
Tool access control
Enable or disable individual tools per connector, so you decide what your agents can and cannot do.
Managed credentials
Glama handles OAuth flows, token storage, and automatic rotation, so credentials never expire on your clients.
Usage analytics
See which tools your agents call, how often, and when, so you can understand usage patterns and catch anomalies.
Tool Definition Quality
Average 4.2/5 across 7 of 7 tools scored. Lowest: 3.6/5.
Each tool targets a distinct security or development concern: prompt injection detection, secret scanning, transaction safety, tool call safety, counterparty vetting, code security review, and PR summary generation. There is no overlap in their purposes, making it easy for an agent to select the appropriate tool.
All tool names use lowercase with hyphens and follow a pattern of descriptor plus category (e.g., 'guard', 'scan', 'review', 'summary'). However, the structure of the descriptor varies (e.g., 'pr-summary' uses an abbreviation, 'secure-code-review' uses an adjective-noun combination, 'x402-trust-audit' includes a code), causing slight inconsistency.
With 7 tools, the server covers a well-scoped set of agent safety and development operations. The count is neither too few to be useful nor too many to be overwhelming, fitting the narrow domain of agent guardrails and some dev tools.
The tool surface addresses major security areas: input injection, secret leakage, transaction signing, tool execution, counterparty vetting, and code security. The inclusion of PR summary is a slight outlier but still useful. A minor gap is output safety beyond secrets (e.g., harmful content generation), but overall the set is well-rounded.
Available Tools
7 toolsinject-guardAInspect
Untrusted-content guardrail for agents: submit a blob of text you are about to feed to your own LLM (scraped web content, a tool result, another agent's message) and get a machine-enforceable verdict - is this a prompt-injection / jailbreak / data-exfiltration / tool-hijack attempt? Returns a risk level, the detected classes with spans, the unicode obfuscation it found (zero-width, bidi-override, tag-chars, homoglyphs), and a SANITIZED copy safe to feed onward. Hybrid: a deterministic, uninjectable pattern engine (authoritative) plus an LLM classifier that can only raise the risk, never clear a flag. Detection of known injection classes - not a proof of safety. [security; up to 15c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| content | Yes | The untrusted text to scan before you feed it to your LLM. | |
| context | No | Optional: where the content came from (url, tool name, sender) - context only. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations provided, so description carries full burden. It explains the hybrid approach (deterministic engine + LLM classifier with one-way risk escalation), details all returned fields (risk level, spans, obfuscation, sanitized copy), and explicitly states limitations ('not a proof of safety').
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is well-structured and front-loaded with the main purpose. It includes multiple details but each sentence is informative. Could be slightly more concise, but not verbose.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's complexity (multi-class detection, sanitization, security context) and no output schema, the description comprehensively covers return values, behavior, and limitations. It also includes cost and a security disclaimer.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema description coverage is 100% for both parameters. The description does not add information beyond what is already in the schema's parameter descriptions. Baseline 3 is appropriate.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool scans untrusted content for prompt injections, jailbreaks, etc., and returns a verdict. It distinguishes from sibling tools like secret-scan and sign-guard by specifying its guardrail role for LLM input.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
It explicitly says to use 'before you feed [content] to your own LLM' and lists sources like scraped web content or tool results. It doesn't detail when not to use, but the context and sibling differentiation imply appropriate scenarios.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
pr-summaryAInspect
Turn a git diff into a clear PR description or release notes. [dev-tools; up to 30c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| diff | Yes | Unified git diff to summarise | |
| style | No | e.g. conventional, changelog, executive |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations are provided, so the description carries full burden. It mentions generating a summary from a diff but doesn't disclose output format, side effects, or limitations (e.g., diff size).
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is a single efficient sentence with a brief pricing hint, no redundancy, and all words earn their place.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's simplicity (2 params, no output schema), the description is mostly complete but could mention the output format or constraints like max diff size.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100%, and the description adds value by providing examples for the style parameter (e.g., conventional, changelog, executive), which goes beyond the schema description.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description uses a specific verb 'turn' and clearly identifies the input (git diff) and output (PR description or release notes). It inherently distinguishes from sibling tools which are security-focused.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description implies usage for creating PR descriptions or release notes but does not explicitly state when to use versus alternatives or any prerequisites.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
secret-scanAInspect
Leaked-credential guardrail for agents: submit a blob you are about to commit, log, post, or hand to another tool (a diff, a config, an .env, an LLM output) and get a machine-enforceable verdict - does it contain a live secret? Detects cloud keys (AWS), VCS tokens (GitHub/GitLab), provider API keys (Stripe, OpenAI, Anthropic, Google, Slack), private-key blocks, JWTs, and credentials embedded in URLs, plus high-entropy key=value assignments. Returns a risk level, the detected classes with a MASKED locator (never the secret itself, so the verdict cannot re-leak), and a REDACTED copy safe to emit onward. Deterministic, sub-second, never fetches. Detection of known secret formats - not a proof of cleanliness. [security; up to 200c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| content | Yes | The text to scan for leaked secrets (diff, config, .env, log line, LLM output). |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations provided, so description carries full burden. It discloses that it never fetches external data, is deterministic, sub-second, returns masked locators and redacted copies, and detects known secret formats (not proof of cleanliness). Also mentions rate limits (200c/call).
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
Description is comprehensive but somewhat long; however, every sentence adds value. It front-loads the main purpose and key details. Could be slightly more concise, but overall well-structured.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool has only one parameter, no output schema, and no annotations, the description fully explains the input, behavior, and return structure (risk level, detected classes with masked locators, redacted copy). No gaps.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Only one parameter 'content' with schema description 'The text to scan...'. The tool description adds context by listing example types (diff, config, .env, log line, LLM output), which helps an agent understand the expected input format beyond the schema.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
Clearly states it's a leaked-credential guardrail for agents, describes target inputs (diffs, configs, .env, etc.) and what it detects (cloud keys, tokens, API keys, etc.). Distinguishes itself from sibling tools like inject-guard, secure-code-review, etc., which focus on other security aspects.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
Explicitly says to use before committing, logging, posting, or handing data to another tool. Mentions it's deterministic and sub-second. Does not explicitly state when not to use or list alternatives, but the context is clear.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
secure-code-reviewAInspect
Security review of a code snippet or diff. Returns structured findings (severity, CWE, location, remediation). [security; up to 75c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| code | Yes | Source code or unified diff to review | |
| context | No | Optional context about the code | |
| language | No | Language hint, e.g. typescript, python |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations provided, so the description carries full burden. It discloses that it returns structured findings and mentions cost, but does not state whether it is read-only, requires authentication, or other behavioral traits. Some transparency is present, but gaps remain.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
Two sentences, no redundant words. Front-loaded with purpose and output, followed by cost. Every sentence earns its place.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given no output schema and moderate complexity, the description adequately explains return structure (severity, CWE, location, remediation). However, it lacks details on format or pagination, but is largely complete for a review tool.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema description coverage is 100%, so baseline is 3. The description does not add meaning beyond schema: 'code' is source code/diff, 'context' optional, 'language' hint, all already defined in schema.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool's purpose: security review of code snippets or diffs, and specifies the output includes severity, CWE, location, and remediation. This distinguishes it from siblings like secret-scan (secrets) and inject-guard (injection), though not explicitly.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
No guidance on when to use this tool vs alternatives. The description does not specify prerequisites, when not to use, or mention sibling tools for comparison.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
sign-guardAInspect
Pre-sign safety oracle for agent wallets: submit the transaction or EIP-712 message you are about to sign and get a machine-enforceable verdict. Decodes the calldata/typed-data, flags the drainer toolkit (unlimited approvals, setApprovalForAll, permit/permit2 + EIP-3009 to an unexpected party, transferFrom draining an unnamed account, ownership transfer, raw ETH to a stranger), and binds the decoded action to your stated intent - only a fully pinned, clean action is auto-sign-safe. Fails closed: an undecodable on-chain call is cautioned and an unrecognized off-chain signature grant is blocked. Deterministic, sub-second, no endpoint fetch. It vouches that the action matches what you said; it does NOT vouch that a counterparty is trustworthy. [security; up to 200c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| tx | No | An EVM transaction you are about to sign. | |
| context | No | Optional free-form context. | |
| expected | No | Your stated intent. Supplying it lets the verdict BIND the action; only a fully bound, clean action is auto-sign-safe. For an allowance, you MUST supply maxAmount; for a transferFrom, supply `from`. | |
| typedData | No | An EIP-712 message you are about to sign (the off-chain drainer surface: permit, Permit2, EIP-3009). { domain, types, primaryType, message }. | |
| spendPolicy | No | Optional buyer spend policy (context only). |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations, the description carries full disclosure. It explains decoding of calldata/typed-data, detection of drainer patterns, binding to stated intent, deterministic and sub-second execution, and failure modes (cautioned/blocked). It also mentions cost (up to 200c/call), which is beyond what annotations typically cover.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is a single dense paragraph that front-loads the core purpose. Every sentence adds value, covering behavior, constraints, and limitations. It could be slightly more structured (e.g., bullet points for failure modes) but remains concise and informative without redundancy.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
The description explains what the tool does and its outcomes (auto-sign-safe, cautioned, blocked) but does not specify the structure of the verdict return value. Given no output schema, the agent is left to infer the response format. Additional details on the verdict object would improve completeness.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100%, and the description adds significant context beyond parameter names and basic types. For example, it explains the purpose of `expected.maxAmount` (required for auto-sign allowance) and `expected.from` (for transferFrom), and describes `typedData` as the off-chain drainer surface, enhancing agent understanding.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool's purpose: a pre-sign safety oracle that submits transactions or EIP-712 messages and returns a machine-enforceable verdict. It specifies the resource (transactions/messages) and verb (submit + get verdict), and distinguishes itself from siblings by focusing on pre-sign safety for wallets.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description indicates when to use the tool (before signing EVM transactions or EIP-712 messages) and provides context like failing closed and not vouching for counterparty trustworthiness. However, it does not explicitly compare to sibling tools or provide alternatives, though the sibling list suggests different security roles.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
tool-call-guardAInspect
Pre-execution safety oracle for agent actions: submit the tool call you are about to run (shell, http, sql, file, code, env) plus your stated intent, and get a machine-enforceable verdict before you execute it. Decodes what the call does, flags the danger toolkit (rm -rf, reverse shell, curl|sh, SSRF to cloud metadata, credential reads, DROP/DELETE-without-WHERE, path traversal, dynamic eval), and binds it to your intent (allowedHosts/allowedPaths/readOnly/noNetwork) - only a fully pinned, clean, intent-matched call is auto-exec-safe. Hybrid: a deterministic, uninjectable detector engine (authoritative) plus an LLM classifier that can only raise the risk. Fails closed. Detection of known-dangerous patterns, not a proof of safety; it never executes the call. [security; up to 8c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| call | Yes | The tool call you are about to execute. | |
| intent | No | What this call is for (natural language). Used by the classifier for intent-mismatch. | |
| context | No | Optional: where the task/input came from (untrusted source label). | |
| expected | No | Machine-checkable constraints. Supplying them lets the verdict BIND the call; only a positively-scoped, satisfied call is auto-exec-safe. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
The description thoroughly discloses behavior: hybrid deterministic+LLM classifier, fails closed, never executes the call, detects known-dangerous patterns, and pricing. No annotations are provided, so the description carries the full burden and meets it excellently.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is front-loaded with the main purpose and then details. It is dense but every sentence adds context. Could be slightly more concise, but overall well-structured.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool's complexity with nested objects and no output schema, the description adequately explains the workflow and constraints. It misses explicit return format, but the use case is clear. Slightly better than baseline.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100% with each parameter described. The description adds value by explaining how 'intent' and 'expected' bind the call for auto-exec safety, and how the verdict works. This goes beyond the schema's isolated field descriptions.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the tool is a pre-execution safety oracle that evaluates tool calls and returns a verdict. It specifies the types of calls (shell, http, sql, file, code, env) and the output (machine-enforceable verdict). This distinct purpose is not confused with siblings.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description explains when to use the tool: before executing a tool call to check safety. It implies usage in security-critical contexts but does not explicitly state when not to use it or mention alternatives among siblings. Context is clear though.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
x402-trust-auditAInspect
Vet an x402 counterparty before settling USDC: scores the advertised payment requirements AND (when supplied) the EIP-3009 authorization you are about to sign. Returns a machine-enforceable trust verdict (per-entry scores, coverage-honest trustScore, spend-constraint + tamper-evident fingerprint) for buyer agents and wallet/spend-policy layers. No endpoint fetch. [security; up to 200c/call]
| Name | Required | Description | Default |
|---|---|---|---|
| context | No | Optional free-form context. | |
| expected | No | Optional caller expectations. | |
| endpointUrl | No | Resource URL being paid (context only; never fetched). | |
| spendPolicy | No | Optional buyer spend policy to evaluate against and to pin facilitators. | |
| paymentPayload | No | The UNSIGNED EIP-3009 authorization the buyer is about to sign: { authorization|message: {from,to,value,validAfter,validBefore,nonce}, domain: {name,version,chainId,verifyingContract} }. Lets the audit bind the menu to the actual charge (server-enforced to/value/verifyingContract/chainId). Omit to vet requirements only - but then the verdict is never auto-settle-safe. | |
| serverMetadata | No | Optional server metadata the caller already holds (context only; not fetched). | |
| paymentRequirements | Yes | The x402 payment requirements from the counterparty: the 402 `accepts` array, or a single object. | |
| selectedOptionIndex | No | Index in the accepts array the buyer intends to settle (default 0). The verdict is scoped to it. |
Tool Definition Quality
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
Without annotations, the description carries the full burden of explaining behavior. It discloses important traits: 'No endpoint fetch' (no external calls), cost ('up to 200c/call'), and the consequences of omitting the payment payload. It also describes the return value components, providing transparency about what the verdict contains.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is a single, well-organized paragraph that front-loads the core purpose and then details return values and parameter context. It is concise (no redundant sentences) and all information is relevant, though it could benefit from bullet points for readability.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the complexity (8 parameters, nested objects, no output schema), the description covers the main functionality and key parameter aspects. However, it lacks detailed return value structure (only lists components without types), and does not address error handling or edge cases (e.g., invalid requirements). This leaves some gaps for an AI agent.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema coverage is 100% (all 8 parameters documented). The description adds meaning beyond the schema by explaining that 'endpointUrl' is 'context only; never fetched', that 'paymentPayload' enables binding the menu to the actual charge, and that 'selectedOptionIndex' defaults to 0. This additional context justifies a score above the baseline of 3.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description explicitly states the tool's purpose: 'Vet an x402 counterparty before settling USDC'. It clearly identifies the resource ('x402 counterparty') and action ('vet'), and distinguishes from siblings like 'sign-guard' or 'tool-call-guard' which serve different security functions.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides clear context for when to use the tool ('before settling USDC') and notes that omitting the payment payload results in a verdict that is 'never auto-settle-safe'. However, it does not explicitly mention when not to use it or list alternative tools for different trust scenarios.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
Claim this connector by publishing a /.well-known/glama.json file on your server's domain with the following structure:
{
"$schema": "https://glama.ai/mcp/schemas/connector.json",
"maintainers": [{ "email": "your-email@example.com" }]
}The email address must match the email associated with your Glama account. Once published, Glama will automatically detect and verify the file within a few minutes.
Control your server's listing on Glama, including description and metadata
Access analytics and receive server usage reports
Get monitoring and health status updates for your server
Feature your server to boost visibility and reach more users
For users:
Full audit trail – every tool call is logged with inputs and outputs for compliance and debugging
Granular tool control – enable or disable individual tools per connector to limit what your AI agents can do
Centralized credential management – store and rotate API keys and OAuth tokens in one place
Change alerts – get notified when a connector changes its schema, adds or removes tools, or updates tool definitions, so nothing breaks silently
For server owners:
Proven adoption – public usage metrics on your listing show real-world traction and build trust with prospective users
Tool-level analytics – see which tools are being used most, helping you prioritize development and documentation
Direct user feedback – users can report issues and suggest improvements through the listing, giving you a channel you would not have otherwise
The connector status is unhealthy when Glama is unable to successfully connect to the server. This can happen for several reasons:
The server is experiencing an outage
The URL of the server is wrong
Credentials required to access the server are missing or invalid
If you are the owner of this MCP connector and would like to make modifications to the listing, including providing test credentials for accessing the server, please contact support@glama.ai.
Discussions
No comments yet. Be the first to start the discussion!