Skip to main content
MCP (Model Context Protocol) security validates tool calls before execution in agent workflows, preventing unauthorized tool use, argument injection, and resource access violations.

Overview

As AI agents gain the ability to call external tools via the Model Context Protocol, new attack surfaces emerge. PromptGuard’s MCP security layer validates every tool call against configurable policies before execution.

Capabilities

Server Allow/Block-listing

Control which MCP servers your agents can communicate with: 
mcp_security:
  allowed_servers:
    - "filesystem"
    - "database-reader"
  blocked_servers:
    - "code-executor"
    - "shell-access"

Argument Schema Validation

Validate tool call arguments against expected schemas to prevent injection: 
{
  "tool": "database_query",
  "expected_schema": {
    "type": "object",
    "required": ["table", "query_type"],
    "properties": {
      "table": { "type": "string", "enum": ["users", "orders"] },
      "query_type": { "type": "string", "enum": ["select", "count"] }
    }
  }
}
Arguments that don’t match the schema are rejected before reaching the tool.

Resource Access Policies

Define which resources tools can read or modify:
  • File system paths (allow-list / deny-list)
  • Database tables and operations
  • Network endpoints and protocols
  • Environment variables and secrets

Tool Injection Detection

Identifies attempts to inject unauthorized MCP tool calls through:
  • Prompt-based tool invocation attempts
  • Argument manipulation to access restricted resources
  • Chained tool calls designed to escalate privileges

Configuration

Configure MCP security as part of your guardrail policy: 
from promptguard import PromptGuard

pg = PromptGuard(api_key="pg_xxx")

result = pg.agent.validate_tool(
    agent_id="agent-123",
    tool_name="file_read",
    arguments={"path": "/etc/passwd"},
    session_id="session-456",
)

if not result["allowed"]:
    print(f"Blocked: {result['reason']}")
    print(f"Risk score: {result['risk_score']}")

Best Practices

  1. Default deny: Only allow-list the MCP servers your agents need
  2. Schema validation: Define schemas for all tool arguments
  3. Least privilege: Restrict resource access to the minimum required
  4. Monitor tool calls: Review tool call patterns in the security dashboard
  5. Version policies: Use policy-as-code to track MCP security changes in git

Next Steps

Agent Security API

Tool validation API reference

Policy-as-Code

Manage MCP policies in YAML