Security gateway for MCP (Model Context Protocol) server connections
Project description
MCP Security Gateway
Security gateway that proxies MCP (Model Context Protocol) server connections with real-time scanning, audit logging, and policy enforcement.
Part of the AgentSec suite -- open-source security primitives for AI agents.
Install
pip install agentsec-gateway
Premium: Get IP reputation database, advanced data flow analytics, and multi-server policy orchestration at zazmatt.gumroad.com/l/hjpwk
Quick Start
# Patch .mcp.json to route all MCP servers through the gateway
mcp-gateway install
# That's it. All MCP traffic is now scanned and logged.
How It Works
Claude Code MCP Gateway MCP Server
| | |
|--- JSON-RPC request ---->| |
| |-- scan for secrets ---->|
| |-- scan for injections ->|
| |-- log to audit trail -->|
| |--- forward request ---->|
| | |
| |<--- response -----------|
| |-- scan for leakage ---->|
| |-- log to audit trail -->|
|<--- forward response ----| |
The gateway wraps each MCP server command in .mcp.json so all stdio traffic passes through a transparent proxy. It scans for:
- Secret leakage -- API keys, tokens, passwords, PII in tool parameters
- Prompt injection -- attempts to override system instructions via tool arguments
- Path traversal --
../etc/passwd,~/.ssh/style attacks - Command injection -- shell metacharacters, subshell execution
- Data exfiltration -- secrets in server responses flowing back to Claude
CLI Reference
| Command | Description |
|---|---|
mcp-gateway install |
Patch .mcp.json to route through gateway |
mcp-gateway uninstall |
Restore original .mcp.json |
mcp-gateway proxy --server NAME -- CMD |
Run as proxy (internal, called by patched config) |
mcp-gateway scan |
List configured servers and their status |
mcp-gateway audit [-n 20] [--server NAME] |
View audit log |
mcp-gateway report |
Generate security report (reputation + data flow) |
mcp-gateway status |
Show install status and server list |
Configuration
Create .mcp-gateway/policy.yaml to define per-server policies:
servers:
filesystem:
allowed_tools: ["read_*", "list_*", "search_*"]
blocked_tools: ["write_*", "delete_*"]
max_calls_per_minute: 30
data_classification: internal
gmail:
allowed_tools: ["gmail_search*", "gmail_read*"]
blocked_tools: ["gmail_create_draft", "gmail_send*"]
max_calls_per_minute: 10
data_classification: confidential
Policy Fields
| Field | Type | Default | Description |
|---|---|---|---|
allowed_tools |
list[str] | [] (all) |
Glob patterns for allowed tools |
blocked_tools |
list[str] | [] |
Glob patterns for blocked tools |
max_calls_per_minute |
int | 60 |
Rate limit per server |
data_classification |
str | internal |
public, internal, confidential |
Security Features
- Secret scanning -- 23 pattern rules covering API keys, tokens, passwords, PII (SSN, credit cards)
- High-entropy detection -- Shannon entropy analysis catches unknown secret formats
- Prompt injection detection -- catches "ignore previous instructions", developer mode, system tag injection
- Path traversal detection -- blocks
../,/etc/passwd,~/.ssh/access attempts - Command injection detection -- catches shell metacharacters, subshells, pipe-to-bash
- Tamper-proof audit log -- SHA-256 hash chain on every log entry
- Server reputation tracking -- trust scores degrade on violations
- Data flow monitoring -- per-server byte counting with anomaly detection
Architecture
Built on agentsec-core for scanning, policy, and audit primitives. Uses synchronous threading for the stdio proxy (no asyncio complexity).
Free vs Premium
| Feature | Free (OSS) | Premium |
|---|---|---|
| Transparent MCP proxy | Yes | Yes |
| Secret scanning (23 patterns) | Yes | Yes |
| Prompt injection detection | Yes | Yes |
| Tamper-proof audit log | Yes | Yes |
| IP reputation database | -- | Yes |
| Data flow analytics dashboard | -- | Yes |
| Multi-server policy orchestration | -- | Yes |
| Rate limiting with burst control | -- | Yes |
| Priority support | -- | Yes |
Development
pip install -e ".[dev]"
pytest
ruff check .
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentsec_gateway-0.1.1.tar.gz.
File metadata
- Download URL: agentsec_gateway-0.1.1.tar.gz
- Upload date:
- Size: 22.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2c72254d90e7bc106fe0dbd1eedf03ca95cfbe286f8fc2c89b0ffa98d47d8da2
|
|
| MD5 |
39464310356b86bfc8eb7830203fd201
|
|
| BLAKE2b-256 |
625220fb49bc53842ff57eee3bc6ce510d3e6ca04a872a841959897cc97ca5bb
|
File details
Details for the file agentsec_gateway-0.1.1-py3-none-any.whl.
File metadata
- Download URL: agentsec_gateway-0.1.1-py3-none-any.whl
- Upload date:
- Size: 16.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
31569770c799e8f6e856d28f8ff44f0d688a35e2852e809b1e39888c61cc10d2
|
|
| MD5 |
56d040db84b787ec797e8f4984710b09
|
|
| BLAKE2b-256 |
29c43e830821831d99a0132f9cd88ad1a5734b3788820aa2af3f6dc915453cf3
|
