mcp-context-protector is a security wrapper for MCP servers that addresses risks associated with running untrusted MCP servers, including line jumping, unexpected server configuration changes, and other prompt injection attacks. Implementing these security controls through a wrapper (rather than through a scanner that runs before a tool is installed or by adding security features to an MCP host app) streamlines enforcement and ensures universal compatibility with all MCP apps.
- Trust-on-first-use pinning of server configurations
- Automatic blocking of unapproved configuration changes
- Guardrail scanning and quarantining of tool responses
- ANSI control character sanitization
Installation:
# Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
# Download mcp-context-protector
git clone https://github.com/trailofbits/mcp-context-protector
# Install dependencies
cd mcp-context-protector
uv sync
To make it easier to launch mcp-context-protector, we recommend updating mcp-context-protector.sh to contain the full path to uv. Some MCP clients, including Claude Desktop, replace the PATH environment variable with a minimal set of paths when launching MCP servers, which can make your claude_desktop_config.json file unwieldy and hard to maintain. Including a full path to uv in the launcher helps mitigate this problem.
Now configure your client to run your MCP servers through mcp-context-protector, and tool configuration pinning will automatically be enabled. Here's a sample Claude Desktop config:
{
"mcpServers": {
"wrapped_acme_server": {
"command": "/path/to/mcp-context-protector/mcp-context-protector.sh",
"args": ["--command", "/path/to/node /path/to/acme/server.js"]
}
}
}
| Risk | Relevant control |
|---|---|
| Line jumping | Server configuration blocking, approval and pinning; guardrail evaluation of server instructions and tool descriptions |
| Server configuration changes/rug pulls | Server configuration pinning |
| User deception through ANSI control characters | ANSI control character sanitization |
| Other prompt injection attacks | Tool response guardrails and quarantining |
mcp-context-protector uses a trust-on-first use pinning system for MCP server configurations. Any deviation from the approved/known-good server configuration will block downstream tool calls until the user explicitly approves the changed server configuration. Server approval is handled through mcp-context-protector's command-line interface.
Server configuration comparisons compare server instructions, tool descriptions, and tool input schemas to determine whether a server configuration is equivalent to any approved one. Comparisons are semantic and ignore irrelevant factors like tool order and parameter order.
The database of server configurations is stored in a JSON-encoded file whose default location is ~/.mcp-context-protector/servers.json. If a server configuration is in that file, it's approved and will run without tool blocking and without requiring user approval. The wrapper server checks downstream server configurations as soon as the connection is initiated and again whenever the wrapper receives a notification that the downstream server's tools have changed (notifications/tools/list_changed).
Servers are uniquely identified in this file by their type and an identifier, which is either a URL or the command string that launches the server. mcp-context-protector does not care about changes to a server's name in the host app's configuration (such as the claude_desktop_config.json file). If the command string (or URL) is unchanged, it's treated as the same server, and if the command string has changed, even in inconsequential ways, it's treated as a different server, and the configuration will need to be approved exactly as if mcp-context-protector were seeing the server for the first time.
To approve a server's configuration and allow the host app to connect to it, run the CLI app with the argument --review-server. The wrapper server will connect to the downstream server, retrieve its configuration, and display it in the shell. If you approve the configuration, it will be added to the database, and you can restart your host app to use it normally.
If mcp-context-protector is launched with a guardrail provider, it will use the chosen provider to scan every tool response for prompt injection attacks. If an attack is detected, the response will be saved in a quarantine database at ~/.mcp-context-protector/quarantine.json. The host app will receive a response that includes the guardrail provider's output.
To review the response and release it from the quarantine, run the app with the argument --review-quarantine, optionally with the --quarantine-id <ID> argument to specify which quarantined response you want to review. The app will then display the tool call and response in the shell and let you review it. If you approve the response, the LLM app can then use the quarantine_release tool to retrieve the response and continue as normal.
mcp-context-protector is packaged with uv and can be run with uv run mcp-context-protector. To start a server through the wrapper, run the mcp-context-protector.sh launcher script with the arguments --command <COMMAND> or --url <URL>:
# Start the wrapper with an stdio server
/path/mcp-context-protector.sh --command DOWNSTREAM_SERVER_COMMAND
# Start the wrapper with an HTTP server
/path/mcp-context-protector.sh --url DOWNSTREAM_SERVER_URL
If your downstream server requires the older SSE transport, use --sse-url <URL>.
To include support for tool response scanning, include the --guardrail-provider argument:
mcp-context-protector.sh --command DOWNSTREAM_SERVER_COMMAND --guardrail-provider LlamaFirewall
Review functions:
mcp-context-protector.sh --review-all-servers
mcp-context-protector.sh --review-quarantine --quarantine-id <ID>
usage: mcp-context-protector [-h] [--command COMMAND] [--url URL] [--sse-url SSE_URL] [--list-guardrail-providers] [--review-server] [--review-quarantine]
[--review-all-servers] [--server-config-file SERVER_CONFIG_FILE] [--guardrail-provider GUARDRAIL_PROVIDER] [--visualize-ansi-codes]
[--quarantine-id QUARANTINE_ID] [--quarantine-path QUARANTINE_PATH]
options:
-h, --help show this help message and exit
--server-config-file SERVER_CONFIG_FILE
The path to the server config database file (default: ~/.mcp-context-protector/servers.json)
--guardrail-provider GUARDRAIL_PROVIDER
The guardrail provider to use for checking server configurations
--visualize-ansi-codes
Make ANSI escape codes visible by replacing escape characters with 'ESC'
--quarantine-id QUARANTINE_ID
The ID of a specific quarantined response to review
--quarantine-path QUARANTINE_PATH
The path to the quarantine database file (default: ~/.mcp-context-protector/quarantine.json)
--command COMMAND Start a wrapped server over the stdio transport using the specified command
--url URL Connect to a remote MCP server over streamable HTTP at the specified URL
--sse-url SSE_URL Connect to a remote MCP server over SSE at the specified URL
--list-guardrail-providers
List available guardrail providers and exit
--review-server Review and approve changes to a specific server configuration (must be used with --command, --url or --sse-url)
--review-quarantine Review quarantined tool responses
--review-all-servers Review all unapproved server configurations
Copyright 2025 Trail of Bits
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}