Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-context-protectorShow me if any of my MCP servers have unapproved configuration changes."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-context-protector
Overview
mcp-context-protector is a security wrapper for MCP servers that addresses risks associated with running untrusted MCP servers, including line jumping, unexpected server configuration changes, and other prompt injection attacks. Implementing these security controls through a wrapper (rather than through a scanner that runs before a tool is installed or by adding security features to an MCP host app) streamlines enforcement and ensures universal compatibility with all MCP apps.
Features
Trust-on-first-use pinning of server configurations
Automatic blocking of unapproved configuration changes
Guardrail scanning and quarantining of tool responses
ANSI control character sanitization
Assisted editing of
mcp.jsonfiles
Quickstart
Installation:
To make it easier to launch mcp-context-protector, we recommend updating mcp-context-protector.sh to contain the full path to uv. Some MCP clients, including Claude Desktop, replace the PATH environment variable with a minimal set of paths when launching MCP servers, which can make your claude_desktop_config.json file unwieldy and hard to maintain. Including a full path to uv in the launcher helps mitigate this problem.
Now configure your client to run your MCP servers through mcp-context-protector, and tool configuration pinning will automatically be enabled. Here's a sample Claude Desktop config:
Alternatively, use --command-args to have mcp-context-protector concatenate all arguments that follow into one command string:
TL;DR: use --command-args if your MCP client mangles your stdio server command, but be careful with escaping of shell metacharacters.
Longer explanation: Some clients (including, as of this writing, Cursor) will construct their MCP server commands by concatenating the arguments together into a space-delimited string. That is, mcp-context-protector.sh --command "cmd arg1 arg2 --arg3" will become mcp-context-protector.sh --command cmd arg1 arg2 --arg3, and mcp-context-protector will think arg1 through --arg3 are meant as arguments to the wrapper, not to the child command. The --command-args option addresses this issue.
Security risks and controls
Risk | Relevant control |
Line jumping | Server configuration blocking, approval and pinning; guardrail evaluation of server instructions and tool descriptions |
Server configuration changes/rug pulls | Server configuration pinning |
User deception through ANSI control characters | ANSI control character sanitization |
Other prompt injection attacks | Tool response guardrails and quarantining |
Server configuration pinning
mcp-context-protector uses a trust-on-first use pinning system for MCP server configurations. Any deviation from the approved/known-good server configuration will block downstream tool calls until the user explicitly approves the changed server configuration. Server approval is handled through mcp-context-protector's command-line interface.
Server configuration comparisons compare server instructions, tool descriptions, and tool input schemas to determine whether a server configuration is equivalent to any approved one. Comparisons are semantic and ignore irrelevant factors like tool order and parameter order.
The database of server configurations is stored in a JSON-encoded file whose default location is ~/.mcp-context-protector/servers.json. If a server configuration is in that file, it's approved and will run without tool blocking and without requiring user approval. The wrapper server checks downstream server configurations as soon as the connection is initiated and again whenever the wrapper receives a notification that the downstream server's tools have changed (notifications/tools/list_changed).
Servers are uniquely identified in this file by their type and an identifier, which is either a URL or the command string that launches the server. mcp-context-protector does not care about changes to a server's name in the host app's configuration (such as the claude_desktop_config.json file). If the command string (or URL) is unchanged, it's treated as the same server, and if the command string has changed, even in inconsequential ways, it's treated as a different server, and the configuration will need to be approved exactly as if mcp-context-protector were seeing the server for the first time.
To approve a server's configuration and allow the host app to connect to it, run the CLI app with the argument --review-server. The wrapper server will connect to the downstream server, retrieve its configuration, and display it in the shell. If you approve the configuration, it will be added to the database, and you can restart your host app to use it normally.
Tool response guardrails and quarantine
If mcp-context-protector is launched with a guardrail provider, it will use the chosen provider to scan every tool response for prompt injection attacks. If an attack is detected, the response will be saved in a quarantine database at ~/.mcp-context-protector/quarantine.json. The host app will receive a response that includes the guardrail provider's output.
To review the response and release it from the quarantine, run the app with the argument --review-quarantine, optionally with the --quarantine-id <ID> argument to specify which quarantined response you want to review. The app will then display the tool call and response in the shell and let you review it. If you approve the response, the LLM app can then use the quarantine_release tool to retrieve the response and continue as normal.
Configuring mcp-context-protector
mcp-context-protector is packaged with uv and can be run with uv run mcp-context-protector. To start a server through the wrapper, run the mcp-context-protector.sh launcher script with the arguments --command <COMMAND>, --command-args <CMD> <ARG1> <ARG2> or --url <URL>:
If your downstream server requires the older SSE transport, use --sse-url <URL>.
To include support for tool response scanning, include the --guardrail-provider argument:
Review functions:
Management of mcp.json files
mcp-context-protector can also help add the wrapper server to any existing configuration files that follow the mcp.json standard. To edit a specific file, use the --manage-all-mcp-json flag. All configuration files found at known locations on the filesystem will automatically be detected. Use the CLI interface to add and remove the wrapper from MCP servers. Configuration files located in project directories or code repositories will not be detected automatically. To edit a project's MCP configuration file, or any other specified file, use --manage-mcp-json-file FILENAME.
The following MCP clients' configuration files will automatically be detected:
Claude Code
Claude Desktop
Continue.dev
Cursor
Visual Studio Code
Windsurf