Command Palette

Search for a command to run...

UnylyUnyly
Browse all

SecureMCP Agentic

FreeNot checked

Provides a set of tools with a security verification layer that assesses risk and requires human approval for high-risk actions, reducing prompt injection and t

GitHubEmbed

About

Provides a set of tools with a security verification layer that assesses risk and requires human approval for high-risk actions, reducing prompt injection and tool-poisoning attacks.

README

SecureMCP-Agentic is a research prototype for secure tool selection in LLM-based agents. It adds a security-aware verification layer between top-k tool retrieval and tool execution to reduce prompt injection and tool-poisoning attacks in MCP-enabled agent systems.

Current Status

The current implementation is a working heuristic baseline. It includes:

  • Local MCP server with benign, high-risk, and simulated malicious tools
  • ChromaDB-based top-k tool retrieval
  • Prompt-injection phrase detection
  • Intent-mismatch approximation
  • Permission-risk scoring
  • Execution-impact scoring
  • MCP server/tool trust scoring
  • Threshold-based risk classification
  • Human approval for high-risk actions
  • Docker-isolated tool execution
  • JSONL experiment logging

The planned next stage is a multi-LLM verification framework with specialized security, intent, permission, execution, trust, and judge verifiers.

Proposed Workflow

User Prompt
    ↓
Intent Context
    ↓
MCP Tool Discovery
    ↓
Top-k Tool Retrieval
    ↓
Risk Verification
    ↓
Risk-Aware Tool Selection
    ↓
Execute / Final Verify / Human Approval / Reject
    ↓
Docker Sandbox
    ↓
Audit Log

Current Risk Algorithm

For each candidate tool, the prototype calculates:

R = 0.40S + 0.20A + 0.20P + 0.10E + 0.10T

Where:

  • S = prompt-injection or suspicious-description score
  • A = intent-mismatch score
  • P = permission-risk score
  • E = execution-impact score
  • T = MCP server or tool-source trust risk

The security-adjusted selection score is:

Secure Utility = Relevance × (1 - Risk)

Critical-risk tools are excluded before final selection.

Risk Thresholds

Risk Score Level Action
0.00–0.2499 Low Execute in sandbox
0.25–0.4999 Medium Send to final verifier
0.50–0.7499 High Require human approval
0.75–1.00 Critical Reject

These values are preliminary heuristic settings and will later be calibrated using validation data.

Project Structure

securemcp-sandbox/
│
├── .vscode/
│   ├── launch.json
│   └── tasks.json
│
├── data/
│   └── tools.json
│
├── executor/
│   ├── Dockerfile
│   └── executor.py
│
├── logs/
│
├── src/
│   ├── main.py
│   ├── mcp_server.py
│   ├── retriever.py
│   ├── risk_engine.py
│   └── runner.py
│
├── .gitignore
├── requirements.txt
└── README.md

Requirements

  • Python 3.11 or 3.12
  • Docker Desktop
  • Node.js and npm
  • Visual Studio Code
  • Git

Setup

1. Clone the repository

git clone https://github.com/Nafeeul/SecureMCP-Agentic.git
cd SecureMCP-Agentic

2. Create a virtual environment

py -m venv .venv
.\.venv\Scripts\Activate.ps1

3. Install dependencies

python -m pip install --upgrade pip
python -m pip install -r requirements.txt

4. Build the Docker executor

Make sure Docker Desktop is running.

docker build -t securemcp-executor .\executor

5. Run the SecureMCP experiment

python .\src\main.py

Example prompt:

Find a New Year's gift under $80 with at least 4.5 stars.

Run the MCP Server

Start the MCP Inspector from the project root:

npx -y @modelcontextprotocol/inspector .venv/Scripts/python.exe src/mcp_server.py

Then open:

Tools → List Tools

The current MCP server exposes:

  • product_search
  • gift_suggestion
  • simulated_email_sender
  • priority_product_tool

The malicious tool is simulated only. It does not access real data or make network requests.

Docker Safety Controls

Approved tools run inside a restricted Docker container with:

  • No network access
  • Read-only root filesystem
  • Non-root execution
  • Dropped Linux capabilities
  • No privilege escalation
  • CPU and memory limits
  • Process-count limits
  • Execution timeout
  • Explicit tool allow-list

Do not mount personal folders, credentials, Docker sockets, or production services into the sandbox.

Experiment Logs

Each run is saved to:

logs/experiments.jsonl

The log includes:

  • User prompt
  • Retrieved top-k tools
  • Relevance scores
  • Individual risk scores
  • Final risk level
  • Baseline-selected tool
  • SecureMCP-selected tool
  • Decision
  • Sandbox execution result
  • Latency

Benchmark Datasets

The planned evaluation will use:

ToolBench

Repository:

https://github.com/OpenBMB/ToolBench

Planned use:

  • Large-scale API metadata
  • Tool descriptions
  • Retrieval experiments
  • User instructions
  • Top-k candidate testing

API-Bank

Repository:

https://github.com/AlibabaResearch/DAMO-ConvAI/tree/main/api-bank

Planned use:

  • User prompts
  • Tool-use dialogues
  • Expected API calls
  • Expected parameters

The benchmark data will be converted into a unified SecureMCP format before testing. Controlled poisoned variants will be generated from selected benign tool descriptions. Real external APIs will not be executed.

from github.com/Nafeeul/SecureMCP-Agentic

Installing SecureMCP Agentic

This server has no published package — it is built from source. Open the repository and follow its README.

▸ github.com/Nafeeul/SecureMCP-Agentic

FAQ

Is SecureMCP Agentic MCP free?

Yes, SecureMCP Agentic MCP is free — one-click install via Unyly at no cost.

Does SecureMCP Agentic need an API key?

No, SecureMCP Agentic runs without API keys or environment variables.

Is SecureMCP Agentic hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install SecureMCP Agentic in Claude Desktop, Claude Code or Cursor?

Open SecureMCP Agentic on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare SecureMCP Agentic with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs