SCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SCPinspect this content for injection threats"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SCP — Secure Contain Protect
Inspect, sanitize, contain, and quarantine unknown or potentially hazardous content before persisting or feeding to LLM. MCP server for agent-native content safety.
Guard in the Guard–Guide–Build taxonomy. Per OWASP LLM01/LLM06.
Problem → Solution → Impact
Problem: Untrusted tool output and user content can carry prompt injection, credential leaks, and override phrases into LLM context.
Solution: Tiered pipeline (inspect → sanitize → contain → quarantine) exposed as MCP tools; optional promptfoo eval harness (16/16 tier probes).
Impact: OWASP LLM01/LLM06-aligned guardrail for agent stacks; composes with OpenHarness contract v1.
Related MCP server: chuangsiai-mcp
Tech stack
Python 3.10+, MCP, optional Ollama semantic judge (off by default in CI), promptfoo for offline evals.
Architecture
flowchart LR
IN[Untrusted content] --> INSPECT[scp_inspect]
INSPECT -->|injection| Q[scp_quarantine]
INSPECT -->|reversal| SAN[scp_sanitize]
SAN --> CON[scp_contain]
INSPECT -->|clean| OUT[Safe sink]
CON --> OUT
Q --> BLOCK[Block LLM sink]Pipeline
Inspect — Classify content:
injection|reversal|cleanSanitize — Strip hidden Unicode, redact override phrases (when tier is reversal)
Contain — Wrap content so it is treated as data: Markdown uses a fence at least as long as the longest run of backticks in the payload (info string
scp); XML uses a single<data>element with body in CDATA (with]]>safely split). Unknownwrappervalues raiseValueError.Quarantine — Move suspect content to isolated storage (when tier is injection)
Tier-Based Actions
Tier | Action |
injection | Block; do not persist or feed to LLM; optionally quarantine |
reversal | Sanitize, then contain |
clean | Pass through |
MCP Tools
scp_inspect(content, context?)— Classify without changing contentscp_sanitize(content, mode?)— Strip/neutralize known bad patternsscp_contain(content, wrapper?)— Wrap content as datascp_quarantine(content, reason, source)— Isolate suspect contentscp_list_quarantine()— List quarantine entriesscp_purge_quarantine(quarantine_id?, older_than_days?)— Purge quarantinescp_validate_output(content, tool_name?)— Check tool output before usescp_mask_secrets(content)— Redact credentials/PIIscp_run_pipeline(content, sink, options?)— One-shot for high-risk sinks
Install
pip install -e .
# or: pip install mcpRun MCP Server
python -m scp.scp_mcpAdd to mcp.json:
{
"mcpServers": {
"scp": {
"command": "python",
"args": ["-m", "scp.scp_mcp"]
}
}
}Set PYTHONPATH or install the package so scp is importable.
Environment
Variable | Description |
| Quarantine storage path (default: |
| Max UTF-8 bytes per quarantined payload (default |
| Max total on-disk bytes for all quarantine pairs under |
| If set (positive int), delete quarantine entries whose |
| When |
| For semantic judge: origin only (default |
| Optional extra hostnames/IPs (comma-separated, case-insensitive) allowed for |
| Set to |
| For semantic judge (default: |
| Optional bearer token for Ollama (sent as |
| Set to |
| Maximum string length for |
Trust: Point Ollama only at hosts you control. On shared runners or CI, keep the semantic judge off unless required; use firewall rules so the process cannot reach sensitive internal subnets unless intended.
Threat Registry
Patterns in scp_threat_registry.json: power_words, multilingual_override, jailbreak_nicknames, mythic_framing, bitcoin_inscription_override. Version bump on change.
Test harness matrix
Where | Suite | What it validates |
This repo (CI job |
| MCP tool names vs OpenHarness v1 set |
This repo (CI job |
| Vendored |
This repo (CI job |
|
|
portfolio-harness | Workflow |
|
CI and quarantine
GitHub Actions:
contract(Python matrix + pytest) andpromptfoo-eval(Node 22,examples/promptfoo).Quarantine: Default directory
scp_quarantine/(orSCP_QUARANTINE_DIR) must not be committed—listed in.gitignore. Writes enforce per-entry and total byte limits (see environment table); optional age-based purge and oldest-first eviction reduce disk exhaustion from repeated or oversized blocked payloads.
Documentation
docs/OPENHARNESS_CONTRACT.md — Normative MCP contract sync and
CONTRACT_HASHdocs/contracts/scp_mcp_v1.md — Vendored OpenHarness contract (verified by hash test)
docs/REFERENCE.md — Threat model, tier definitions, over-sanitization allowlist
docs/RED_TEAM_PROMPTS.md — Self-test prompts and expected behavior
docs/INTEGRATION.md — SCP as guardrail: verification before persist, high-risk sinks
docs/LEARNINGS_PROMPTFOO.md — promptfoo integration, CI, and inspection results
examples/README.md — Daggr + Gradio integration example; examples/promptfoo — offline promptfoo eval (tier probes)
FAQ: PDFs and binary files
SCP tools take text (content: str). PDFs and other binaries are not scanned directly. For documents:
Extract text (e.g.
pypdf,pdftotext,pymupdf).Run
scp_inspect/scp_run_pipelineon the extracted text before LLM or handoff sinks.Use OS antivirus or equivalent on the original files separately (malware is out of scope for SCP).
See also: local-proto docs HUMAN_WELLBEING_CORPUS.md for a full private-PDF pipeline (provenance, chunks, optional RAG).
Guardrail
SCP has no shutdown, suicide, or self-termination commands. SCP inspects, sanitizes, contains, and quarantines content—it does not self-destruct.
Roadmap
GitHub topics:
mcp,llm-security,prompt-injectionShared threat registry — scp-mycelium-registry @ v0.1.0 (R2 spec)
MCP Registry listing when governance doc is ready
Red-team eval (SCP-R2)
pip install -e .
cd examples/promptfoo && npm ci && cd ../..
npx promptfoo eval -c promptfoo-scp.yamlOr from examples/promptfoo: npx promptfoo eval -c promptfooconfig.yaml
See examples/promptfoo/README.md and docs/LEARNINGS_PROMPTFOO.md.
License
MIT — see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ManintheCrowds/SCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server