Skip to content
MCP security

Every MCP tool call, inspected in the path.

MCP gave your agent hands. It also gave every server it connects to a channel into your machine. InnerWarden sits between the agent and its MCP servers as a real proxy: it reads every tool call and every response, blocks the dangerous ones, and can kill a session that turns hostile, before anything acts on your infrastructure.

The attack surface

Three ways MCP turns against you.

Tool poisoning

A malicious or compromised MCP server ships tool descriptions with hidden instructions. Your agent reads them as gospel and starts working for someone else.

Injection through tool output

The tool itself is honest, but the data it returns is not: a web page, a ticket, a file with embedded instructions. The response becomes the attack.

Command injection and SSRF via tools

Tools that shell out or fetch URLs can be steered into running attacker commands or reaching internal endpoints the agent was never meant to touch.

Two ways in

Advisory or mandatory. Your call.

Run InnerWarden as an MCP server your agent consults before acting, or put it in the path as a guarding proxy where its verdicts are enforced, not suggested. Both keep the decision trail on your machine.

Works with Claude Code, Cursor, OpenClaw, and any MCP client. Prompt-injection patterns, tool-poisoning signatures, and agent threat rules are checked on every call.

Enforced: guard proxy in the path
innerwarden agent proxy --mode guard -- <your-mcp-server>
Advisory: your agent asks first
innerwarden agent mcp-serve
Below the proxy

And if something slips past anyway?

MCP inspection is one layer. Underneath it, the same install watches the host with an eBPF sensor, and on Linux the kernel Execution Gate can refuse unauthorized binaries outright, so a tool call that somehow becomes a process still hits a wall the attacker cannot negotiate with. How runtime guardrails work.