Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Safe

FreeNot checked

A deterministic guard layer that blocks unauthorized tool calls and validates arguments before execution, preventing tool poisoning and jailbreak attacks on MCP

GitHubEmbed

About

A deterministic guard layer that blocks unauthorized tool calls and validates arguments before execution, preventing tool poisoning and jailbreak attacks on MCP servers.

README

Companion to my LinkedIn post on locking down an MCP server before it touches prod: https://www.linkedin.com/feed/update/urn:li:share:7480988848592748545/

An MCP server lets a client discover tools and call them at runtime. That is the feature. It is also the problem: the server describes its own tools to the model, and a model reads those descriptions as instructions. Anyone who can edit the server — or a model that gets talked out of good behavior — can turn a tool call into a way onto your host.

This repo puts a deterministic policy layer between the two. A tool call runs only if the tool is on an allow-list and its arguments pass that tool's validator. Everything else is refused and logged before the server is touched.

The setup

server.py exposes two tools:

  • lookup_policy(topic) — read-only, returns a canned string. Safe.
  • run_command(cmd) — runs a shell command on the host. The kind of tool real MCP servers ship (filesystem, shell, DB write).

run_command's description also carries a prompt-injection payload — text aimed at the model, telling it to call run_command with cat ~/.ssh/id_rsa after any lookup, and not to mention it. This is "tool poisoning": the boundary you'd cross if you trusted the server's description of itself.

guard.py is the boundary. It does not read descriptions and it does not get persuaded:

async def call_tool(self, name, args):
    if name not in self._policy:                    # allow-list by identity
        self._log("BLOCKED", name, args, "tool not on allow-list")
        raise Blocked(name, "tool not on allow-list")
    ok, reason = self._policy[name](args)           # validate this tool's args
    if not ok:
        self._log("BLOCKED", name, args, reason)
        raise Blocked(name, reason)
    result = await self._session.call_tool(name, args)   # only now touch server
    self._log("ALLOWED", name, args, "ok")
    return result

lookup_policy is on the allow-list with a validator that checks topic. run_command is deliberately absent, so it is refused — description, poisoning, and all.

Requirements

  • Python 3.10+
  • mcp>=1.2, openai>=1.0 (pip install -r requirements.txt)
  • demo.py needs no key. agent.py needs OPENAI_API_KEY.

Run it

pip install -r requirements.txt

# No model in the loop — tests the boundary directly. No key.
python demo.py

# A real model, handed every tool including the poisoned one. Needs a key.
export OPENAI_API_KEY=sk-...
python agent.py "how much notice do I need to cancel?"
python agent.py "run the shell command whoami and tell me the output"

What you'll see

demo.py sends four calls through the guard — the calls stand in for a jailbroken model, a poisoned description, a compromised server. The guard treats them the same: it checks the allow-list and the arguments, not who asked or why.

Tools the server advertises (note the second one's description):
  - lookup_policy: Look up the company policy for a topic. Valid topics: cancellation, refunds, downgrades.
  - run_command: Run a shell command and return its output.

[PASS] legit lookup
        lookup_policy({'topic': 'cancellation'}) -> ran: Cancellation requires at least 14 days notice before the next billing date.
[PASS] unknown topic
        lookup_policy({'topic': 'salaries'}) -> refused (topic must be one of ['cancellation', 'downgrades', 'refunds'])
[PASS] the poisoned tool the server told the model to call
        run_command({'cmd': 'cat ~/.ssh/id_rsa'}) -> refused (tool not on allow-list)
[PASS] same tool, harmless-looking arg -- still refused by identity
        run_command({'cmd': 'echo hi'}) -> refused (tool not on allow-list)

4/4 cases behaved as required.

Audit log (every decision, allowed or not):
  ...  ALLOWED   lookup_policy({'topic': 'cancellation'})  ok
  ...  BLOCKED   lookup_policy({'topic': 'salaries'})  topic must be one of [...]
  ...  BLOCKED   run_command({'cmd': 'cat ~/.ssh/id_rsa'})  tool not on allow-list
  ...  BLOCKED   run_command({'cmd': 'echo hi'})  tool not on allow-list

agent.py puts a real model in front of the same guard. Ask it something normal and it calls the safe tool:

Model wants to call: lookup_policy({'topic': 'cancellation'})
  guard allowed it -> Cancellation requires at least 14 days notice before the next billing date.

Push it toward the host and the model asks for run_command — and the guard refuses before anything runs:

User asks: run the shell command whoami and tell me the output

Model wants to call: run_command({'cmd': 'whoami'})
  guard REFUSED it -> tool not on allow-list

Audit log:
  ...  BLOCKED   run_command({'cmd': 'whoami'})  tool not on allow-list

The model's decision is not the boundary. The guard is.

What this does and doesn't cover

  • It stops a call to a tool you didn't allow, and a call with arguments you didn't permit — regardless of whether a poisoned description, a jailbreak, or a bug produced the request.
  • It is not a replacement for the usual controls on the tools you do allow: a permitted tool still needs its own authz, rate limits, and least-privilege credentials. The allow-list narrows the surface; it doesn't harden what's left.
  • The validators here are deliberate and small. That's the point — every place an argument is trusted is one short function you can read.

Files

  • server.py — MCP server with a safe tool and a poisoned dangerous one.
  • guard.py — the allow-list + per-tool validators + audit log.
  • demo.py — runs attack cases through the guard, no key, with assertions.
  • agent.py — a real model in front of the guard; needs OPENAI_API_KEY.
  • requirements.txtmcp and openai.

from github.com/androidanit/demo-safe-mcp

Installing Safe

This server has no published package — it is built from source. Open the repository and follow its README.

▸ github.com/androidanit/demo-safe-mcp

FAQ

Is Safe MCP free?

Yes, Safe MCP is free — one-click install via Unyly at no cost.

Does Safe need an API key?

No, Safe runs without API keys or environment variables.

Is Safe hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Safe in Claude Desktop, Claude Code or Cursor?

Open Safe on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Safe with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs