MCP Protect

Detect & Secure Toolkit

Scan, Execute, Route, Audit, Query & Protect MCP Server/Endpoint    

 

Objective

As companies quickly automate tasks with LLM-based agents, the Model Context Protocol (MCP) has made it possible to integrate third party tools and connectors but it has also created serious security risks. MCP endpoints expose tools—similar to APIs, but with rich, structured metadata—that help AI agents understand what each tool does and how to call it. This enables AI assistants embedded in IDEs, desktops, chatbots, or custom applications to dynamically discover capabilities and orchestrate complex workflows. These agents are vulnerable to new attack vectors including tool poisoning, "rug pull" logic injections, Shadow MCP, and indirect prompt injections because they mostly rely on structured metadata and tool descriptions supplied by MCP endpoints.  By taking advantage of the implicit trust in the MCP server, these exploits trick AI systems into stealing sensitive data or performing actions they are not authorized to do. 

MCP Specific Threats

1. Tool Poisoning Attack (TPA): Attackers manipulate metadata like descriptions/parameters to hidden malicious instructions within the MCP server. The LLM trusts this metadata as context and therefore it prioritizes malicious tools, bypasses security policies, or leaks data.  
• Flow: Attacker Endpoint → Poisoned Metadata → LLM surfaces as Trusted Context → Model performs malicious actions.
2. Rug Pull Attack: Initially, the server acts benignly to gain approval and whitelisting. Once trust has been established the attacker modifies the logic or descriptions of the server or tool to include malicious behavior. This is on systems that do not re-validate continuously.
3. Shadow MCP Servers: Attackers use unapproved or "impersonated" servers to spoof legitimate services. They can steal credentials, send poisoned tool definitions, or quietly steal session data by tricking users into connecting to these shadow instances.
4. Indirect Prompt Injection:  MCP tools can carry instructions from their adversaries because they often get content from outside sources like URLs, APIs, and documents. If this outside data is passed into the model without being checked, it makes the supply chain risky because the model ignores guardrails to follow attacker commands.
5. Exfiltration of Sensitive Data: Malicious tools use their expansive rights to steal secrets, tokens or internal files. A tool might be able to do some permitted actions, e.g., "summarize logs", but it might also be capable of secretly sending or encoding sensitive data back to an endpoint under an attacker’s control.

Introducing MCP Protect

MCP-Protect is a command-line security tool that adds a crucial zero-trust layer to the Model Context Protocol (MCP). It lowers the risk by acting as a validation layer and protects tool-based agents from both known and new exploits by analyzing communications of third-party MCP endpoints. It scans and analyzes tool descriptions and response patterns before a client lets the server into the agent's environment.

Core Functionality

The tool operates with two modes designed to provide comprehensive, active insights:

• The "Scan" Command: This feature performs a scan on tool descriptions and instructions by connecting to the MCP endpoint before each tool is invoked. It cross-references these details with a library of regex files to identify any suspicious or malicious commands/instructions, before they can be used.
• The "Execute" Command: The execute command allows you to safely use a tool with test arguments by invoking special tools. It then inspects the input and response data to detect hidden malicious behaviors or instructions that may only show up during runtime operations.

 

The utility allows testers/users/applications to identify malicious descriptions or tool responses of MCP endpoints before using those third party MCP endpoints in production.  The tool turns untrusted external connections into secure, verified assets by checking the behavior of third-party MCP endpoints.

Custom Configurations

The utility executes the tool driven by a custom JSON file. When running the command, the user must specify arguments and parameters exactly as required by their individual tool configuration.
 

In addition, the utility contains a comprehensive library of pre-defined attack payloads. They are intended to test system resilience by attempting to manipulate/compare instructions or parameters that can change the intended behavior of the tool. 

Requirements:

This tool requires no prerequisites and can be run directly from the terminal using the provided executable (.exe) file.

Scan Mode 

Usage: MCP-Protect scan --endpoint <MCP-endpoint> --regex-file <regex-file>
 

This command scans the MCP endpoint and its tool descriptions for malicious patterns or unwanted content that are added to system instructions. It detects these patters by comparing the tool descriptions with the predefined regex file. The tool effectively flags potential security threats and unwanted content before they can compromise the system by comparing the endpoint's context to these specific regex definitions. In this case, the regex-file “.\malicious-patterns” consists of common attack payloads and parameters used by attackers to compromise MCP endpoints.

The output of this scan identifies the distinction between legitimate user prompts and unauthorized or malicious instructions. A status flag of true indicates that the tool has detected a security risk, rendering it unsafe for deployment. Consequently, any tool returning this flag should be considered non-compliant and must not be used in a production environment.

Execute Mode

Usage:  MCP-Protect execute --endpoint <MCP-Endpoint> --regex-file .\malicious-patterns.txt --tool-name <tool-name> --tool-args-file .\tool-input.json

This is the custom “tool-input” JSON file configured to invoke tools like “add_travel_expenses” and “list_travel_expenses” along with the parameters and their value.

 

The “execute” command calls the “list_travel_expenses” tool on the endpoint using test inputs that are set up in the tool-input JSON file. The output is then checked against predefined regex patterns to find malicious instructions. If any unauthorized content is found, the status flag is set to true. This is an important warning that the tool's response has been compromised and is not safe to use. In this case, the tool returns false, which means it is safe to pass the user input to the agent application.

Operational Features 

 

Proxy Support

Usage: MCP-Protect scan --endpoint <mcp-endpoint> --regex-file <regex-file> --proxy-port <proxy-port> 

Run the above command in the terminal and open Burpsuite on local host to see the captured traffic.

 

The proxy support allows users to define an external/internal proxy host and port to enroute the MCP traffic through an HTTP proxy during scanning. This is often required in enterprise environments during formal security assessments.

Authorization and Extra Headers Support

Usage: MCP-Protect scan --endpoint <mcp-endpoint> --regex-file <regex-file> --extra-headers-file <List-of-extra-headers>

 

The “--extra-headers” parameter uses JSON to check authentication and authorization credentials, like API keys, bearer tokens, or custom headers, whenever an MCP endpoint needs a gateway or special credentials to connect. Because the MCP endpoint being tested here doesn't use custom headers, the output shows the default configuration of the JSON file.

Detailed Logging 

Usage: MCP-Protect scan --endpoint <MCP-Endpoint> --regex-file <regex-file> --logfile <logfile>

The tool also provides a proper logging functionality to capture raw traffic through the MCP server and saves the output to the user-defined logfile (mcp1.log). These logs are valuable for security reviews, incident investigations, and compliance evidence.

Structured Output

Usage:  MCP-Protect execute --endpoint <MCP-Endpoint> --regex-file .\malicious-patterns.txt --tool-name <tool-name> --output-file output.json

The “--output-file” command makes a structured JSON report for both the scan and execute operations. This standard format lets your app or CI/CD pipeline automatically read the results, check the security status flags, and automate important tasks, like failing a build if an MCP endpoint is marked as unsafe.

Where does MCP Protect fit in your production cycle?

• Development: Engineers scan and validate new MCP endpoints before integrating them into agent flows.
• CI/CD Pipelines: Automated validation checks fail deployments if an MCP integration doesn't meet security standards.
• Security Review: Teams pair MCP-Protect with proxying and logging for repeatable auditing of third-party tools.
• Runtime: Periodic re-scanning detects "Rug Pulls" or unexpected changes in tool metadata after deployment.

Conclusion

While MCP brings powerful scalability to LLM-based applications, it also opens a new class of supply chain attacks. This makes it tough for companies to manage and monitor large number of agents all together at once. MCP-Protect provides static and dynamic analysis needed to operationalize safety, ensuring your AI assistants remain both capable and secure.