InnerWarden/mcp-guard
Runtime security for MCP servers and AI agents. Pre-execution guardrails, tool call inspection, drift detection. Rust, open source.
Platform-specific configuration:
{
"mcpServers": {
"mcp-guard": {
"command": "npx",
"args": [
"-y",
"mcp-guard"
]
}
}
}Add the config above to .claude/settings.json under the mcpServers key.
[](https://github.com/InnerWarden/mcp-guard/actions/workflows/ci.yml) [](LICENSE)
Runtime security proxy for MCP servers and AI agents. Inspects tool calls before they execute, blocks command injection, path traversal, SSRF, tool poisoning, and rug-pull attacks. Hash-chained audit trail.
cargo install --git https://github.com/InnerWarden/mcp-guardMCP Guard sits between AI agents and MCP servers as a transparent proxy. Every tool call is inspected against security rules before reaching the server.
Agent (Claude, Cursor, etc.)
│
▼
┌─────────────┐
│ MCP Guard │ ← inspect + block + audit
└─────────────┘
│
▼
MCP Server (filesystem, database, API, etc.)Stdio mode (wrap an MCP server):
mcp-guard --upstream-cmd "npx @modelcontextprotocol/server-filesystem /home/user"TCP mode (proxy to a remote MCP server):
mcp-guard --listen 127.0.0.1:3100 --upstream tcp://localhost:3200| ID | Rule | Action | Severity | |----|------|--------|----------| | MG-01 | Command injection in tool arguments | Block | Critical | | MG-02 | Path traversal in tool arguments | Block | Critical | | MG-03 | SSRF in tool arguments | Block | High | | MG-04 | Hidden/zero-width characters in tool description | Alert | High | | MG-05 | Tool description changed (rug-pull detection) | Block | Critical | | MG-06 | Encoded payload in tool arguments | Alert | Medium | | MG-07 | Prompt injection markers in tool response | Sanitize | High | | MG-08 | Tool call rate limit | Block | Medium |
Command injection — semicolons, backticks, $(), pipes to shells, eval(), exec(), system(), file redirects to sensitive paths.
Path traversal — ../, /etc/passwd, /etc/shadow, ~/.ssh/, /proc/self/, URL-encoded variants.
Loading reviews...