mcp_Shield
mcp-shield ๐ก๏ธ
The security runtime for MCP servers. Every tool call inspected. Every attack blocked. Every decision logged.
What is MCP?
Model Context Protocol (MCP) is an open standard that lets AI assistants (Claude, Cursor, Copilot) connect to external tools and services โ file systems, APIs, databases, browsers โ through MCP servers.
Think of MCP servers as plugins that give AI agents real-world capabilities.
The Problem
MCP servers run as trusted processes on your machine with broad access:
Access | Risk |
๐๏ธ Filesystem | Read |
๐ Network | SSRF to |
๐ Environment variables | Steal API keys, tokens, secrets |
โ๏ธ Shell | Execute arbitrary commands |
A malicious or compromised MCP server can silently exfiltrate your secrets, pivot to internal infrastructure, or execute code โ and you'd never know.
This is not theoretical. A real SSRF vulnerability was found in an MCP OAuth HTTP transport implementation that allowed exactly this class of attack.
How mcp-shield Fixes This
mcp-shield sits between your AI agent and the MCP server as a policy enforcement layer. Before any tool executes, mcp-shield evaluates it. If it's not explicitly allowed โ it's blocked.
AI Agent
โ
โผ
mcp-shield /inspect
โ
โโโ Tool allowlist check โ "read_secrets" not in allowlist โ ๐ซ BLOCK
โโโ Blocked pattern check โ "ssrf_fetch" is dangerous โ ๐ซ BLOCK
โโโ Argument scanning โ "169.254.169.254" in args โ ๐ซ BLOCK
โ (recursive, nested dicts)
โโโ Passed all checks โ โ
ALLOW โ MCP Server executes
โ
โผ
Audit Log (SQLite)
timestamp | server | tool | decision | reasonInstall
pip install mcpshield-runtimeOr clone and run locally:
git clone https://github.com/srisowmya2000/mcp-shield
cd mcp-shield
python3 -m venv .venv && source .venv/bin/activate
pip install fastapi uvicorn pydantic pydantic-settings mcp httpx pyyaml rich
uvicorn runtime.api.main:app --reloadOpen:
API docs โ http://localhost:8000/docs
Live dashboard โ http://localhost:8000/dashboard
Live Demo
# Start mcp-shield
uvicorn runtime.api.main:app --reload
# ๐ซ Attempt secret theft โ BLOCKED
curl -X POST http://localhost:8000/inspect \
-H "Content-Type: application/json" \
-d '{"server_name":"evil","policy":"default","tool_call":{"tool_name":"read_secrets","arguments":{}}}'
# โ {"decision":"BLOCK","reason":"Tool 'read_secrets' is not in the allowed_tools list","blocked":true}
# ๐ซ Attempt SSRF to AWS metadata endpoint โ BLOCKED
curl -X POST http://localhost:8000/inspect \
-H "Content-Type: application/json" \
-d '{"server_name":"evil","policy":"default","tool_call":{"tool_name":"ssrf_fetch","arguments":{"url":"http://169.254.169.254/latest/meta-data/"}}}'
# โ {"decision":"BLOCK","reason":"Argument contains blocked pattern: '169.254.169.254'","blocked":true}
# โ
Safe tool โ ALLOWED
curl -X POST http://localhost:8000/inspect \
-H "Content-Type: application/json" \
-d '{"server_name":"safe","policy":"default","tool_call":{"tool_name":"safe_tool","arguments":{"name":"Sri"}}}'
# โ {"decision":"ALLOW","reason":"Passed all policy checks","blocked":false}CLI
# Inspect a tool call
python3 -m runtime.cli inspect read_secrets
# โ ๐ซ BLOCKED โ Tool 'read_secrets' is not in the allowed_tools list
python3 -m runtime.cli inspect safe_tool
# โ โ
ALLOWED โ Passed all policy checks
# Score a server's risk level
python3 -m runtime.cli risk "read_secrets,ssrf_fetch,safe_tool"
# โ ๐ด HIGH RISK (score: 80)
# โ High-risk tools: ['read_secrets', 'ssrf_fetch']
# โ Do not run without strict policy. Use isolated network.
# View live audit log
python3 -m runtime.cli audit
# View stats
python3 -m runtime.cli stats
# โ Total: 6 | โ
Allowed: 2 | ๐ซ Blocked: 4 (67% block rate)Policies
Drop a YAML file in policies/ and reference it by name in any /inspect call.
# policies/default.yaml
allowed_tools:
- safe_tool
- list_files
- get_time
block_network: true
block_env_access: true
blocked_arg_patterns:
- "169.254.169.254" # AWS metadata SSRF
- "169.254.170.2" # ECS metadata SSRF
- "localhost"
- "127.0.0.1"
- "/etc/passwd"
- "/etc/shadow"
- "file://"
- "gopher://"
max_memory_mb: 256
execution_timeout_seconds: 30Switch policy per server:
POST /inspect โ { "policy": "strict", ... }Two policies included: default and strict (zero-trust).
Features
Feature | Description |
๐ Policy Engine | YAML allowlists + blocked patterns, per-server policies |
๐ Argument Scanning | Recursively scans nested args for SSRF, path traversal, dangerous patterns |
๐ Audit Logger | Every decision logged to SQLite โ timestamp, server, tool, reason |
๐ณ Docker Sandbox | Hardened containers: |
๐ฅ Firecracker Backend | microVM isolation โ each server gets its own Linux kernel (Linux/KVM only) |
๐ Risk Scorer | Scores MCP servers LOW / MEDIUM / HIGH based on tool capabilities |
๐ฅ๏ธ Live Dashboard | Real-time web UI at |
โก CLI |
|
API Reference
Endpoint | Method | Description |
| GET | Service health check |
| POST | Evaluate tool call โ ALLOW / BLOCK |
| GET | Recent audit log entries |
| GET | Total / allowed / blocked counts |
| POST | Score server risk by tool list |
| POST | Launch MCP server in hardened Docker container |
| POST | Stop a running sandbox |
| GET | List running sandboxes |
| GET | Live real-time decision dashboard |
| GET | Interactive Swagger API docs |
Docker Sandbox
Every MCP server launched via mcp-shield runs with:
--cap-drop=ALL no Linux capabilities
--no-new-privileges no privilege escalation
--read-only immutable filesystem
--network=none no network access
--memory=256m memory limit
--cpus=0.5 CPU limit
--pids-limit=64 process limit
--tmpfs=/tmp ephemeral tmp onlyFirecracker microVM Backend
For stronger isolation, mcp-shield supports Firecracker microVMs โ each MCP server gets its own Linux kernel. A kernel exploit inside the VM cannot reach the host.
Docker: shared kernel โ kernel exploit = host at risk
Firecracker: own kernel โ kernel exploit = contained in VMRequires Linux with KVM. See docs/firecracker-setup.md.
Architecture
mcp-shield/
โโโ runtime/
โ โโโ api/
โ โ โโโ main.py # FastAPI โ all endpoints
โ โโโ policy_engine.py # YAML policy loader + evaluator
โ โโโ audit_logger.py # SQLite decision log
โ โโโ risk_scorer.py # LOW/MEDIUM/HIGH risk scoring
โ โโโ cli.py # Typer CLI
โ โโโ models.py # Pydantic schemas
โ โโโ sandbox/
โ โโโ base.py # Abstract backend interface
โ โโโ docker_backend.py # Hardened Docker sandbox
โ โโโ firecracker_backend.py # microVM backend (Linux/KVM)
โโโ policies/
โ โโโ default.yaml
โ โโโ strict.yaml
โโโ examples/
โ โโโ malicious_mcp_server/ # Demo attacker (SSRF + secret theft + exec)
โ โโโ safe_mcp_server/ # Demo benign server
โโโ docs/
โ โโโ threat-model.md # Attack scenarios + limitations
โ โโโ firecracker-setup.md # Firecracker setup guide
โโโ tests/ # 12 tests โ all passingTests
pip install pytest
pytest tests/ -v
# 12 passed in 0.11sCovers: tool allowlist blocking, SSRF argument detection, nested arg scanning, strict policy enforcement, edge cases, unknown policy handling.
Threat Model
See docs/threat-model.md for:
Attack scenarios (SSRF, secret theft, command execution, path traversal)
What mcp-shield blocks vs what it doesn't
Defense in depth recommendations
Roadmap
Policy engine (allowlist + pattern scanning)
Audit logger (SQLite)
FastAPI REST surface
Docker sandbox backend (hardened)
Demo malicious MCP server
Risk scorer (LOW / MEDIUM / HIGH)
CLI (
mcpshield inspect,audit,stats,risk)Real-time dashboard
Firecracker microVM backend
PyPI package (
pip install mcpshield-runtime)Threat model documentation
Prompt injection detection
Per-tool argument schema validation
Webhook alerts on BLOCK events
License
MIT โ see LICENSE
Author
Sri Sowmya Nemani โ Security researcher & engineer. Bug bounty | MCP security | AI agent security
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/srisowmya2000/mcp-shield'
If you have feedback or need assistance with the MCP directory API, please join our Discord server