Safe
FreeNot checkedA deterministic guard layer that blocks unauthorized tool calls and validates arguments before execution, preventing tool poisoning and jailbreak attacks on MCP
About
A deterministic guard layer that blocks unauthorized tool calls and validates arguments before execution, preventing tool poisoning and jailbreak attacks on MCP servers.
README
Companion to my LinkedIn post on locking down an MCP server before it touches prod: https://www.linkedin.com/feed/update/urn:li:share:7480988848592748545/
An MCP server lets a client discover tools and call them at runtime. That is the feature. It is also the problem: the server describes its own tools to the model, and a model reads those descriptions as instructions. Anyone who can edit the server — or a model that gets talked out of good behavior — can turn a tool call into a way onto your host.
This repo puts a deterministic policy layer between the two. A tool call runs only if the tool is on an allow-list and its arguments pass that tool's validator. Everything else is refused and logged before the server is touched.
The setup
server.py exposes two tools:
lookup_policy(topic)— read-only, returns a canned string. Safe.run_command(cmd)— runs a shell command on the host. The kind of tool real MCP servers ship (filesystem, shell, DB write).
run_command's description also carries a prompt-injection payload — text
aimed at the model, telling it to call run_command with cat ~/.ssh/id_rsa
after any lookup, and not to mention it. This is "tool poisoning": the boundary
you'd cross if you trusted the server's description of itself.
guard.py is the boundary. It does not read descriptions and it does not get
persuaded:
async def call_tool(self, name, args):
if name not in self._policy: # allow-list by identity
self._log("BLOCKED", name, args, "tool not on allow-list")
raise Blocked(name, "tool not on allow-list")
ok, reason = self._policy[name](args) # validate this tool's args
if not ok:
self._log("BLOCKED", name, args, reason)
raise Blocked(name, reason)
result = await self._session.call_tool(name, args) # only now touch server
self._log("ALLOWED", name, args, "ok")
return result
lookup_policy is on the allow-list with a validator that checks topic.
run_command is deliberately absent, so it is refused — description, poisoning,
and all.
Requirements
- Python 3.10+
mcp>=1.2,openai>=1.0(pip install -r requirements.txt)demo.pyneeds no key.agent.pyneedsOPENAI_API_KEY.
Run it
pip install -r requirements.txt
# No model in the loop — tests the boundary directly. No key.
python demo.py
# A real model, handed every tool including the poisoned one. Needs a key.
export OPENAI_API_KEY=sk-...
python agent.py "how much notice do I need to cancel?"
python agent.py "run the shell command whoami and tell me the output"
What you'll see
demo.py sends four calls through the guard — the calls stand in for a jailbroken
model, a poisoned description, a compromised server. The guard treats them the
same: it checks the allow-list and the arguments, not who asked or why.
Tools the server advertises (note the second one's description):
- lookup_policy: Look up the company policy for a topic. Valid topics: cancellation, refunds, downgrades.
- run_command: Run a shell command and return its output.
[PASS] legit lookup
lookup_policy({'topic': 'cancellation'}) -> ran: Cancellation requires at least 14 days notice before the next billing date.
[PASS] unknown topic
lookup_policy({'topic': 'salaries'}) -> refused (topic must be one of ['cancellation', 'downgrades', 'refunds'])
[PASS] the poisoned tool the server told the model to call
run_command({'cmd': 'cat ~/.ssh/id_rsa'}) -> refused (tool not on allow-list)
[PASS] same tool, harmless-looking arg -- still refused by identity
run_command({'cmd': 'echo hi'}) -> refused (tool not on allow-list)
4/4 cases behaved as required.
Audit log (every decision, allowed or not):
... ALLOWED lookup_policy({'topic': 'cancellation'}) ok
... BLOCKED lookup_policy({'topic': 'salaries'}) topic must be one of [...]
... BLOCKED run_command({'cmd': 'cat ~/.ssh/id_rsa'}) tool not on allow-list
... BLOCKED run_command({'cmd': 'echo hi'}) tool not on allow-list
agent.py puts a real model in front of the same guard. Ask it something normal
and it calls the safe tool:
Model wants to call: lookup_policy({'topic': 'cancellation'})
guard allowed it -> Cancellation requires at least 14 days notice before the next billing date.
Push it toward the host and the model asks for run_command — and the guard
refuses before anything runs:
User asks: run the shell command whoami and tell me the output
Model wants to call: run_command({'cmd': 'whoami'})
guard REFUSED it -> tool not on allow-list
Audit log:
... BLOCKED run_command({'cmd': 'whoami'}) tool not on allow-list
The model's decision is not the boundary. The guard is.
What this does and doesn't cover
- It stops a call to a tool you didn't allow, and a call with arguments you didn't permit — regardless of whether a poisoned description, a jailbreak, or a bug produced the request.
- It is not a replacement for the usual controls on the tools you do allow: a permitted tool still needs its own authz, rate limits, and least-privilege credentials. The allow-list narrows the surface; it doesn't harden what's left.
- The validators here are deliberate and small. That's the point — every place an argument is trusted is one short function you can read.
Files
server.py— MCP server with a safe tool and a poisoned dangerous one.guard.py— the allow-list + per-tool validators + audit log.demo.py— runs attack cases through the guard, no key, with assertions.agent.py— a real model in front of the guard; needsOPENAI_API_KEY.requirements.txt—mcpandopenai.
Installing Safe
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/androidanit/demo-safe-mcpFAQ
Is Safe MCP free?
Yes, Safe MCP is free — one-click install via Unyly at no cost.
Does Safe need an API key?
No, Safe runs without API keys or environment variables.
Is Safe hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Safe in Claude Desktop, Claude Code or Cursor?
Open Safe on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Safe with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
