SecureMCP Agentic
FreeNot checkedProvides a set of tools with a security verification layer that assesses risk and requires human approval for high-risk actions, reducing prompt injection and t
About
Provides a set of tools with a security verification layer that assesses risk and requires human approval for high-risk actions, reducing prompt injection and tool-poisoning attacks.
README
SecureMCP-Agentic is a research prototype for secure tool selection in LLM-based agents. It adds a security-aware verification layer between top-k tool retrieval and tool execution to reduce prompt injection and tool-poisoning attacks in MCP-enabled agent systems.
Current Status
The current implementation is a working heuristic baseline. It includes:
- Local MCP server with benign, high-risk, and simulated malicious tools
- ChromaDB-based top-k tool retrieval
- Prompt-injection phrase detection
- Intent-mismatch approximation
- Permission-risk scoring
- Execution-impact scoring
- MCP server/tool trust scoring
- Threshold-based risk classification
- Human approval for high-risk actions
- Docker-isolated tool execution
- JSONL experiment logging
The planned next stage is a multi-LLM verification framework with specialized security, intent, permission, execution, trust, and judge verifiers.
Proposed Workflow
User Prompt
↓
Intent Context
↓
MCP Tool Discovery
↓
Top-k Tool Retrieval
↓
Risk Verification
↓
Risk-Aware Tool Selection
↓
Execute / Final Verify / Human Approval / Reject
↓
Docker Sandbox
↓
Audit Log
Current Risk Algorithm
For each candidate tool, the prototype calculates:
R = 0.40S + 0.20A + 0.20P + 0.10E + 0.10T
Where:
S= prompt-injection or suspicious-description scoreA= intent-mismatch scoreP= permission-risk scoreE= execution-impact scoreT= MCP server or tool-source trust risk
The security-adjusted selection score is:
Secure Utility = Relevance × (1 - Risk)
Critical-risk tools are excluded before final selection.
Risk Thresholds
| Risk Score | Level | Action |
|---|---|---|
0.00–0.2499 |
Low | Execute in sandbox |
0.25–0.4999 |
Medium | Send to final verifier |
0.50–0.7499 |
High | Require human approval |
0.75–1.00 |
Critical | Reject |
These values are preliminary heuristic settings and will later be calibrated using validation data.
Project Structure
securemcp-sandbox/
│
├── .vscode/
│ ├── launch.json
│ └── tasks.json
│
├── data/
│ └── tools.json
│
├── executor/
│ ├── Dockerfile
│ └── executor.py
│
├── logs/
│
├── src/
│ ├── main.py
│ ├── mcp_server.py
│ ├── retriever.py
│ ├── risk_engine.py
│ └── runner.py
│
├── .gitignore
├── requirements.txt
└── README.md
Requirements
- Python 3.11 or 3.12
- Docker Desktop
- Node.js and npm
- Visual Studio Code
- Git
Setup
1. Clone the repository
git clone https://github.com/Nafeeul/SecureMCP-Agentic.git
cd SecureMCP-Agentic
2. Create a virtual environment
py -m venv .venv
.\.venv\Scripts\Activate.ps1
3. Install dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
4. Build the Docker executor
Make sure Docker Desktop is running.
docker build -t securemcp-executor .\executor
5. Run the SecureMCP experiment
python .\src\main.py
Example prompt:
Find a New Year's gift under $80 with at least 4.5 stars.
Run the MCP Server
Start the MCP Inspector from the project root:
npx -y @modelcontextprotocol/inspector .venv/Scripts/python.exe src/mcp_server.py
Then open:
Tools → List Tools
The current MCP server exposes:
product_searchgift_suggestionsimulated_email_senderpriority_product_tool
The malicious tool is simulated only. It does not access real data or make network requests.
Docker Safety Controls
Approved tools run inside a restricted Docker container with:
- No network access
- Read-only root filesystem
- Non-root execution
- Dropped Linux capabilities
- No privilege escalation
- CPU and memory limits
- Process-count limits
- Execution timeout
- Explicit tool allow-list
Do not mount personal folders, credentials, Docker sockets, or production services into the sandbox.
Experiment Logs
Each run is saved to:
logs/experiments.jsonl
The log includes:
- User prompt
- Retrieved top-k tools
- Relevance scores
- Individual risk scores
- Final risk level
- Baseline-selected tool
- SecureMCP-selected tool
- Decision
- Sandbox execution result
- Latency
Benchmark Datasets
The planned evaluation will use:
ToolBench
Repository:
https://github.com/OpenBMB/ToolBench
Planned use:
- Large-scale API metadata
- Tool descriptions
- Retrieval experiments
- User instructions
- Top-k candidate testing
API-Bank
Repository:
https://github.com/AlibabaResearch/DAMO-ConvAI/tree/main/api-bank
Planned use:
- User prompts
- Tool-use dialogues
- Expected API calls
- Expected parameters
The benchmark data will be converted into a unified SecureMCP format before testing. Controlled poisoned variants will be generated from selected benign tool descriptions. Real external APIs will not be executed.
Installing SecureMCP Agentic
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/Nafeeul/SecureMCP-AgenticFAQ
Is SecureMCP Agentic MCP free?
Yes, SecureMCP Agentic MCP is free — one-click install via Unyly at no cost.
Does SecureMCP Agentic need an API key?
No, SecureMCP Agentic runs without API keys or environment variables.
Is SecureMCP Agentic hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install SecureMCP Agentic in Claude Desktop, Claude Code or Cursor?
Open SecureMCP Agentic on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare SecureMCP Agentic with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
