MCP (Model Context Protocol) security validates tool calls before execution in agent workflows, preventing unauthorized tool use, argument injection, and resource access violations.
Overview
As AI agents gain the ability to call external tools via the Model Context Protocol, new attack surfaces emerge. PromptGuard’s MCP security layer validates every tool call against configurable policies before execution. There are two ways to apply it:- Inline on gateway traffic — when your requests flow through the PromptGuard gateway (
/api/v1/chat/completionsor/api/v1/messages), tool calls in the message stream are checked against your project’s MCP security configuration automatically. - Explicitly via the API — call
POST /api/v1/agent/validate-toolbefore executing any tool, regardless of how your agent talks to its LLM.
Capabilities
Server Allow/Block-listing
Restrict which MCP servers your agents can call tools from. When MCP security is enabled for a project, each tool call’s server (derived from the namespaced tool name, e.g.filesystem__read_file) is checked against the project’s server allowlist and blocklist — calls to servers not on the allowlist, or on the blocklist, are blocked before execution. Argument payloads are also capped in size to prevent oversized-argument abuse.
This is configured per project as part of your guardrails setup — contact support to enable and tune MCP server allow/block-listing for your project.
Argument Schema Validation
Validate tool call arguments against expected schemas to prevent injection:Resource Access Policies
Define which resources tools can read or modify:- File system paths (allow-list / deny-list)
- Database tables and operations
- Network endpoints and protocols
- Environment variables and secrets
Tool Injection Detection
Identifies attempts to inject unauthorized MCP tool calls through:- Prompt-based tool invocation attempts
- Argument manipulation to access restricted resources
- Chained tool calls designed to escalate privileges
Validating Tool Calls
Validate any tool call explicitly before execution with the Agent Security API:Best Practices
- Default deny: Only allow-list the MCP servers your agents need
- Schema validation: Define schemas for all tool arguments
- Least privilege: Restrict resource access to the minimum required
- Monitor tool calls: Review tool call patterns in the security dashboard
- Version policies: Use policy-as-code to track MCP security changes in git
Next Steps
Agent Security API
Tool validation API reference
Policy-as-Code
Manage MCP policies in YAML