SecureMCP Agentic
БесплатноНе проверенProvides a set of tools with a security verification layer that assesses risk and requires human approval for high-risk actions, reducing prompt injection and t
Описание
Provides a set of tools with a security verification layer that assesses risk and requires human approval for high-risk actions, reducing prompt injection and tool-poisoning attacks.
README
SecureMCP-Agentic is a research prototype for secure tool selection in LLM-based agents. It adds a security-aware verification layer between top-k tool retrieval and tool execution to reduce prompt injection and tool-poisoning attacks in MCP-enabled agent systems.
Current Status
The current implementation is a working heuristic baseline. It includes:
- Local MCP server with benign, high-risk, and simulated malicious tools
- ChromaDB-based top-k tool retrieval
- Prompt-injection phrase detection
- Intent-mismatch approximation
- Permission-risk scoring
- Execution-impact scoring
- MCP server/tool trust scoring
- Threshold-based risk classification
- Human approval for high-risk actions
- Docker-isolated tool execution
- JSONL experiment logging
The planned next stage is a multi-LLM verification framework with specialized security, intent, permission, execution, trust, and judge verifiers.
Proposed Workflow
User Prompt
↓
Intent Context
↓
MCP Tool Discovery
↓
Top-k Tool Retrieval
↓
Risk Verification
↓
Risk-Aware Tool Selection
↓
Execute / Final Verify / Human Approval / Reject
↓
Docker Sandbox
↓
Audit Log
Current Risk Algorithm
For each candidate tool, the prototype calculates:
R = 0.40S + 0.20A + 0.20P + 0.10E + 0.10T
Where:
S= prompt-injection or suspicious-description scoreA= intent-mismatch scoreP= permission-risk scoreE= execution-impact scoreT= MCP server or tool-source trust risk
The security-adjusted selection score is:
Secure Utility = Relevance × (1 - Risk)
Critical-risk tools are excluded before final selection.
Risk Thresholds
| Risk Score | Level | Action |
|---|---|---|
0.00–0.2499 |
Low | Execute in sandbox |
0.25–0.4999 |
Medium | Send to final verifier |
0.50–0.7499 |
High | Require human approval |
0.75–1.00 |
Critical | Reject |
These values are preliminary heuristic settings and will later be calibrated using validation data.
Project Structure
securemcp-sandbox/
│
├── .vscode/
│ ├── launch.json
│ └── tasks.json
│
├── data/
│ └── tools.json
│
├── executor/
│ ├── Dockerfile
│ └── executor.py
│
├── logs/
│
├── src/
│ ├── main.py
│ ├── mcp_server.py
│ ├── retriever.py
│ ├── risk_engine.py
│ └── runner.py
│
├── .gitignore
├── requirements.txt
└── README.md
Requirements
- Python 3.11 or 3.12
- Docker Desktop
- Node.js and npm
- Visual Studio Code
- Git
Setup
1. Clone the repository
git clone https://github.com/Nafeeul/SecureMCP-Agentic.git
cd SecureMCP-Agentic
2. Create a virtual environment
py -m venv .venv
.\.venv\Scripts\Activate.ps1
3. Install dependencies
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
4. Build the Docker executor
Make sure Docker Desktop is running.
docker build -t securemcp-executor .\executor
5. Run the SecureMCP experiment
python .\src\main.py
Example prompt:
Find a New Year's gift under $80 with at least 4.5 stars.
Run the MCP Server
Start the MCP Inspector from the project root:
npx -y @modelcontextprotocol/inspector .venv/Scripts/python.exe src/mcp_server.py
Then open:
Tools → List Tools
The current MCP server exposes:
product_searchgift_suggestionsimulated_email_senderpriority_product_tool
The malicious tool is simulated only. It does not access real data or make network requests.
Docker Safety Controls
Approved tools run inside a restricted Docker container with:
- No network access
- Read-only root filesystem
- Non-root execution
- Dropped Linux capabilities
- No privilege escalation
- CPU and memory limits
- Process-count limits
- Execution timeout
- Explicit tool allow-list
Do not mount personal folders, credentials, Docker sockets, or production services into the sandbox.
Experiment Logs
Each run is saved to:
logs/experiments.jsonl
The log includes:
- User prompt
- Retrieved top-k tools
- Relevance scores
- Individual risk scores
- Final risk level
- Baseline-selected tool
- SecureMCP-selected tool
- Decision
- Sandbox execution result
- Latency
Benchmark Datasets
The planned evaluation will use:
ToolBench
Repository:
https://github.com/OpenBMB/ToolBench
Planned use:
- Large-scale API metadata
- Tool descriptions
- Retrieval experiments
- User instructions
- Top-k candidate testing
API-Bank
Repository:
https://github.com/AlibabaResearch/DAMO-ConvAI/tree/main/api-bank
Planned use:
- User prompts
- Tool-use dialogues
- Expected API calls
- Expected parameters
The benchmark data will be converted into a unified SecureMCP format before testing. Controlled poisoned variants will be generated from selected benign tool descriptions. Real external APIs will not be executed.
Установка SecureMCP Agentic
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/Nafeeul/SecureMCP-AgenticFAQ
SecureMCP Agentic MCP бесплатный?
Да, SecureMCP Agentic MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для SecureMCP Agentic?
Нет, SecureMCP Agentic работает без API-ключей и переменных окружения.
SecureMCP Agentic — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить SecureMCP Agentic в Claude Desktop, Claude Code или Cursor?
Открой SecureMCP Agentic на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare SecureMCP Agentic with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
