Agreed, I think adding guardrails to this would be really useful to ensure the AI only has limited permissions to these services (or asking for some sort of confirmation before making potentially dangerous tool calls).
Currently we are only recording which tools were requested by the MCP client. We don't store details of the executed tool, neither the arguments nor the response. Currently we are not open source but we are considering that. Thanks for the feedback!
We are thinking of open sourcing it, the current codebase requires Cloudflare Workers so it will take some changes to make it more generic. Thank you for the feedback!
Thanks for your comment - MCP Defender sits between the MCP client and server, it doesn't need to worry about the protocols that the server communicates with to other services.
This is certainly a valid concern. We'll soon be adding the ability to have multiple models perform the scan in parallel, so any attack would have to bypass all of the models.
With the default signatures, source code would not be treated as malicious. However, you can add custom signatures and detect whatever you'd like. We'll soon be adding deterministic rules as well to complement the LLM based ones.
MCP Defender sits between the MCP client and server. If you use Cursor for example, MCP Defender rewrites your Cursor MCP config file so that all MCP servers point to the MCP Defender proxy. So the tool calls are scanned before they make it to the server. The responses from the servers are also scanned although this is configurable (disabling it speeds up scans).
This is really interesting, I'll check it out. At least in its current form this seems like it would take some effort to setup - we're focusing heavily on making MCP Defender easy to setup in less than a minute and then forgetting about it as it runs in the background.
We used Cursor + MCP tools like Cloudflare, Linear and Github to build and deploy a lot of MCP Defender, so I think the value is real. I had the same thought about it feeling like an antivirus/firewall many of us ran decades ago. Those always felt clunky and slowed down your computer. We'll try our best to avoid that fate
I had the same thought while building this, but I really feel a tool like this is needed as MCP has a lot of surface area for attacks. Any MCP server that gets hacked exposes all users of that MCP server to serious security risk, unless they are really careful about inspecting every single MCP tool call they make.
While Cursor and other apps can include security checks in their system prompt, MCP Defender provides an extra unified layer of security across all apps. Also, we're going to be adding the ability to have multiple models perform the scan in parallel so any prompt injection attack would have to work against all of the models you select.
We'll be adding the ability to run MCP Defender through a local LLM soon, so using that approach no data will leave your computer to perform a scan.
Yes, there is a delay for MCP exchange, but I imagine that most MCP calls in the future will be done in "YOLO" mode where the user prompts a large task and an agent makes 1000's of MCP calls over hours to accomplish it. This would add some time to the overall task but IMO this is a small price to pay for added security. Also, the delay will decrease over time.
During the recording, I moved around around and stopped twice. The only thing not working is the audio volume changing based on the g-force readings. I'm digging into why that's not working.