Every MCP tool call, inspected in the path.
MCP gave your agent hands. It also gave every server it connects to a channel into your machine. InnerWarden sits between the agent and its MCP servers as a real proxy: it reads every tool call and every response, blocks the dangerous ones, and can kill a session that turns hostile, before anything acts on your infrastructure.
Three ways MCP turns against you.
Tool poisoning
A malicious or compromised MCP server ships tool descriptions with hidden instructions. Your agent reads them as gospel and starts working for someone else.
Injection through tool output
The tool itself is honest, but the data it returns is not: a web page, a ticket, a file with embedded instructions. The response becomes the attack.
Command injection and SSRF via tools
Tools that shell out or fetch URLs can be steered into running attacker commands or reaching internal endpoints the agent was never meant to touch.
Advisory or mandatory. Your call.
Run InnerWarden as an MCP server your agent consults before acting, or put it in the path as a guarding proxy where its verdicts are enforced, not suggested. Both keep the decision trail on your machine.
Works with Claude Code, Cursor, OpenClaw, and any MCP client. Prompt-injection patterns, tool-poisoning signatures, and agent threat rules are checked on every call.
innerwarden agent proxy --mode guard -- <your-mcp-server>innerwarden agent mcp-serveAnd if something slips past anyway?
MCP inspection is one layer. Underneath it, the same install watches the host with an eBPF sensor, and on Linux the kernel Execution Gate can refuse unauthorized binaries outright, so a tool call that somehow becomes a process still hits a wall the attacker cannot negotiate with. How runtime guardrails work.