SecureMCP-Agentic
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SecureMCP-AgenticFind a New Year's gift under $80 with at least 4.5 stars."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SecureMCP-Agentic
SecureMCP-Agentic is a research prototype for secure tool selection in LLM-based agents. It adds a security-aware verification layer between top-k tool retrieval and tool execution to reduce prompt injection and tool-poisoning attacks in MCP-enabled agent systems.
Current Status
The current implementation is a working heuristic baseline. It includes:
Local MCP server with benign, high-risk, and simulated malicious tools
ChromaDB-based top-k tool retrieval
Prompt-injection phrase detection
Intent-mismatch approximation
Permission-risk scoring
Execution-impact scoring
MCP server/tool trust scoring
Threshold-based risk classification
Human approval for high-risk actions
Docker-isolated tool execution
JSONL experiment logging
The planned next stage is a multi-LLM verification framework with specialized security, intent, permission, execution, trust, and judge verifiers.
Related MCP server: Carapace MCP Server
Proposed Workflow
User Prompt
↓
Intent Context
↓
MCP Tool Discovery
↓
Top-k Tool Retrieval
↓
Risk Verification
↓
Risk-Aware Tool Selection
↓
Execute / Final Verify / Human Approval / Reject
↓
Docker Sandbox
↓
Audit LogCurrent Risk Algorithm
For each candidate tool, the prototype calculates:
R = 0.40S + 0.20A + 0.20P + 0.10E + 0.10TWhere:
S= prompt-injection or suspicious-description scoreA= intent-mismatch scoreP= permission-risk scoreE= execution-impact scoreT= MCP server or tool-source trust risk
The security-adjusted selection score is:
Secure Utility = Relevance × (1 - Risk)Critical-risk tools are excluded before final selection.
Risk Thresholds
Risk Score | Level | Action |
| Low | Execute in sandbox |
| Medium | Send to final verifier |
| High | Require human approval |
| Critical | Reject |
These values are preliminary heuristic settings and will later be calibrated using validation data.
Project Structure
securemcp-sandbox/
│
├── .vscode/
│ ├── launch.json
│ └── tasks.json
│
├── data/
│ └── tools.json
│
├── executor/
│ ├── Dockerfile
│ └── executor.py
│
├── logs/
│
├── src/
│ ├── main.py
│ ├── mcp_server.py
│ ├── retriever.py
│ ├── risk_engine.py
│ └── runner.py
│
├── .gitignore
├── requirements.txt
└── README.mdRequirements
Python 3.11 or 3.12
Docker Desktop
Node.js and npm
Visual Studio Code
Git
Setup
1. Clone the repository
git clone https://github.com/Nafeeul/SecureMCP-Agentic.git
cd SecureMCP-Agentic2. Create a virtual environment
py -m venv .venv
.\.venv\Scripts\Activate.ps13. Install dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt4. Build the Docker executor
Make sure Docker Desktop is running.
docker build -t securemcp-executor .\executor5. Run the SecureMCP experiment
python .\src\main.pyExample prompt:
Find a New Year's gift under $80 with at least 4.5 stars.Run the MCP Server
Start the MCP Inspector from the project root:
npx -y @modelcontextprotocol/inspector .venv/Scripts/python.exe src/mcp_server.pyThen open:
Tools → List ToolsThe current MCP server exposes:
product_searchgift_suggestionsimulated_email_senderpriority_product_tool
The malicious tool is simulated only. It does not access real data or make network requests.
Docker Safety Controls
Approved tools run inside a restricted Docker container with:
No network access
Read-only root filesystem
Non-root execution
Dropped Linux capabilities
No privilege escalation
CPU and memory limits
Process-count limits
Execution timeout
Explicit tool allow-list
Do not mount personal folders, credentials, Docker sockets, or production services into the sandbox.
Experiment Logs
Each run is saved to:
logs/experiments.jsonlThe log includes:
User prompt
Retrieved top-k tools
Relevance scores
Individual risk scores
Final risk level
Baseline-selected tool
SecureMCP-selected tool
Decision
Sandbox execution result
Latency
Benchmark Datasets
The planned evaluation will use:
ToolBench
Repository:
https://github.com/OpenBMB/ToolBenchPlanned use:
Large-scale API metadata
Tool descriptions
Retrieval experiments
User instructions
Top-k candidate testing
API-Bank
Repository:
https://github.com/AlibabaResearch/DAMO-ConvAI/tree/main/api-bankPlanned use:
User prompts
Tool-use dialogues
Expected API calls
Expected parameters
The benchmark data will be converted into a unified SecureMCP format before testing. Controlled poisoned variants will be generated from selected benign tool descriptions. Real external APIs will not be executed.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Nafeeul/SecureMCP-Agentic'
If you have feedback or need assistance with the MCP directory API, please join our Discord server