Skip to main content
MCP (Model Context Protocol) security validates tool calls before execution in agent workflows, preventing unauthorized tool use, argument injection, and resource access violations.

Overview

As AI agents gain the ability to call external tools via the Model Context Protocol, new attack surfaces emerge. PromptGuard’s MCP security layer validates every tool call against configurable policies before execution. There are two ways to apply it:
  1. Inline on gateway traffic — when your requests flow through the PromptGuard gateway (/api/v1/chat/completions or /api/v1/messages), tool calls in the message stream are checked against your project’s MCP security configuration automatically.
  2. Explicitly via the API — call POST /api/v1/agent/validate-tool before executing any tool, regardless of how your agent talks to its LLM.

Capabilities

Server Allow/Block-listing

Restrict which MCP servers your agents can call tools from. When MCP security is enabled for a project, each tool call’s server (derived from the namespaced tool name, e.g. filesystem__read_file) is checked against the project’s server allowlist and blocklist — calls to servers not on the allowlist, or on the blocklist, are blocked before execution. Argument payloads are also capped in size to prevent oversized-argument abuse. This is configured per project as part of your guardrails setup — contact support to enable and tune MCP server allow/block-listing for your project.

Argument Schema Validation

Validate tool call arguments against expected schemas to prevent injection:
{
  "tool": "database_query",
  "expected_schema": {
    "type": "object",
    "required": ["table", "query_type"],
    "properties": {
      "table": { "type": "string", "enum": ["users", "orders"] },
      "query_type": { "type": "string", "enum": ["select", "count"] }
    }
  }
}
Arguments that don’t match the schema are rejected before reaching the tool.

Resource Access Policies

Define which resources tools can read or modify:
  • File system paths (allow-list / deny-list)
  • Database tables and operations
  • Network endpoints and protocols
  • Environment variables and secrets

Tool Injection Detection

Identifies attempts to inject unauthorized MCP tool calls through:
  • Prompt-based tool invocation attempts
  • Argument manipulation to access restricted resources
  • Chained tool calls designed to escalate privileges

Validating Tool Calls

Validate any tool call explicitly before execution with the Agent Security API:
from promptguard import PromptGuard

pg = PromptGuard(api_key="pg_live_xxxxxxxx")

result = pg.agent.validate_tool(
    agent_id="agent-123",
    tool_name="file_read",
    arguments={"path": "/etc/passwd"},
    session_id="session-456",
)

if not result["allowed"]:
    print(f"Blocked: {result['reason']}")
    print(f"Risk score: {result['risk_score']}")

Best Practices

  1. Default deny: Only allow-list the MCP servers your agents need
  2. Schema validation: Define schemas for all tool arguments
  3. Least privilege: Restrict resource access to the minimum required
  4. Monitor tool calls: Review tool call patterns in the security dashboard
  5. Version policies: Use policy-as-code to track MCP security changes in git

Next Steps

Agent Security API

Tool validation API reference

Policy-as-Code

Manage MCP policies in YAML