Skip to main content
Glama
Nafeeul

SecureMCP-Agentic

by Nafeeul

SecureMCP-Agentic

SecureMCP-Agentic is a research prototype for secure tool selection in LLM-based agents. It adds a security-aware verification layer between top-k tool retrieval and tool execution to reduce prompt injection and tool-poisoning attacks in MCP-enabled agent systems.

Current Status

The current implementation is a working heuristic baseline. It includes:

  • Local MCP server with benign, high-risk, and simulated malicious tools

  • ChromaDB-based top-k tool retrieval

  • Prompt-injection phrase detection

  • Intent-mismatch approximation

  • Permission-risk scoring

  • Execution-impact scoring

  • MCP server/tool trust scoring

  • Threshold-based risk classification

  • Human approval for high-risk actions

  • Docker-isolated tool execution

  • JSONL experiment logging

The planned next stage is a multi-LLM verification framework with specialized security, intent, permission, execution, trust, and judge verifiers.

Related MCP server: Carapace MCP Server

Proposed Workflow

User Prompt
    ↓
Intent Context
    ↓
MCP Tool Discovery
    ↓
Top-k Tool Retrieval
    ↓
Risk Verification
    ↓
Risk-Aware Tool Selection
    ↓
Execute / Final Verify / Human Approval / Reject
    ↓
Docker Sandbox
    ↓
Audit Log

Current Risk Algorithm

For each candidate tool, the prototype calculates:

R = 0.40S + 0.20A + 0.20P + 0.10E + 0.10T

Where:

  • S = prompt-injection or suspicious-description score

  • A = intent-mismatch score

  • P = permission-risk score

  • E = execution-impact score

  • T = MCP server or tool-source trust risk

The security-adjusted selection score is:

Secure Utility = Relevance × (1 - Risk)

Critical-risk tools are excluded before final selection.

Risk Thresholds

Risk Score

Level

Action

0.00–0.2499

Low

Execute in sandbox

0.25–0.4999

Medium

Send to final verifier

0.50–0.7499

High

Require human approval

0.75–1.00

Critical

Reject

These values are preliminary heuristic settings and will later be calibrated using validation data.

Project Structure

securemcp-sandbox/
│
├── .vscode/
│   ├── launch.json
│   └── tasks.json
│
├── data/
│   └── tools.json
│
├── executor/
│   ├── Dockerfile
│   └── executor.py
│
├── logs/
│
├── src/
│   ├── main.py
│   ├── mcp_server.py
│   ├── retriever.py
│   ├── risk_engine.py
│   └── runner.py
│
├── .gitignore
├── requirements.txt
└── README.md

Requirements

  • Python 3.11 or 3.12

  • Docker Desktop

  • Node.js and npm

  • Visual Studio Code

  • Git

Setup

1. Clone the repository

git clone https://github.com/Nafeeul/SecureMCP-Agentic.git
cd SecureMCP-Agentic

2. Create a virtual environment

py -m venv .venv
.\.venv\Scripts\Activate.ps1

3. Install dependencies

python -m pip install --upgrade pip
python -m pip install -r requirements.txt

4. Build the Docker executor

Make sure Docker Desktop is running.

docker build -t securemcp-executor .\executor

5. Run the SecureMCP experiment

python .\src\main.py

Example prompt:

Find a New Year's gift under $80 with at least 4.5 stars.

Run the MCP Server

Start the MCP Inspector from the project root:

npx -y @modelcontextprotocol/inspector .venv/Scripts/python.exe src/mcp_server.py

Then open:

Tools → List Tools

The current MCP server exposes:

  • product_search

  • gift_suggestion

  • simulated_email_sender

  • priority_product_tool

The malicious tool is simulated only. It does not access real data or make network requests.

Docker Safety Controls

Approved tools run inside a restricted Docker container with:

  • No network access

  • Read-only root filesystem

  • Non-root execution

  • Dropped Linux capabilities

  • No privilege escalation

  • CPU and memory limits

  • Process-count limits

  • Execution timeout

  • Explicit tool allow-list

Do not mount personal folders, credentials, Docker sockets, or production services into the sandbox.

Experiment Logs

Each run is saved to:

logs/experiments.jsonl

The log includes:

  • User prompt

  • Retrieved top-k tools

  • Relevance scores

  • Individual risk scores

  • Final risk level

  • Baseline-selected tool

  • SecureMCP-selected tool

  • Decision

  • Sandbox execution result

  • Latency

Benchmark Datasets

The planned evaluation will use:

ToolBench

Repository:

https://github.com/OpenBMB/ToolBench

Planned use:

  • Large-scale API metadata

  • Tool descriptions

  • Retrieval experiments

  • User instructions

  • Top-k candidate testing

API-Bank

Repository:

https://github.com/AlibabaResearch/DAMO-ConvAI/tree/main/api-bank

Planned use:

  • User prompts

  • Tool-use dialogues

  • Expected API calls

  • Expected parameters

The benchmark data will be converted into a unified SecureMCP format before testing. Controlled poisoned variants will be generated from selected benign tool descriptions. Real external APIs will not be executed.

F
license - not found
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Nafeeul/SecureMCP-Agentic'

If you have feedback or need assistance with the MCP directory API, please join our Discord server