AI agent security toolkit — scan MCP servers, guard tool calls
Project description
[m] munio
Security scanner and runtime guard for AI agent tool calls
AI agents call external tools — MCP servers, OpenClaw skills, API endpoints. A malicious or poorly-written tool can exfiltrate your data, execute arbitrary commands, or chain actions into multi-step attacks. munio catches these issues before they reach your agent.
pipx install munio
munio config-scan
For deep tool schema analysis:
munio scan --server "npx @modelcontextprotocol/server-filesystem /tmp"
No MCP servers? Try the bundled example:
munio scan --file examples/vulnerable-server.json --details
Why scan MCP servers?
The same vulnerability classes that led to 512 findings in Copilot extensions and 820+ malicious OpenClaw skills -- path traversal, command injection, SSRF, prompt injection -- exist in every AI tool-calling ecosystem. MCP servers, OpenClaw skills, and framework-integrated tools share the same attack surface.
munio was built by scanning 700+ public MCP servers and responsibly disclosing the vulnerabilities found. It works with MCP, OpenClaw, LangChain, CrewAI, and OpenAI Agents SDK.
What it catches
| Category | Examples | How |
|---|---|---|
| Path traversal | ../../etc/passwd in file parameters |
Schema analysis + Z3 formal proof |
| SSRF | http://169.254.169.254 in URL parameters |
Pattern matching + Z3 proof |
| Command injection | ; rm -rf / in shell parameters |
Denylist + regex + Z3 proof |
| Prompt injection | Hidden instructions in tool descriptions | ML classifier (188 languages) |
| Data exfiltration | read_file + http_request = stolen secrets |
Compositional flow analysis |
| Supply chain | Unpinned npm deps, hardcoded API keys in config | Config file scanner |
Installation
pipx install munio # CLI (recommended)
pip install munio # library
pip install "munio[z3]" # with formal verification
pip install "munio[all]" # everything
Scan MCP servers
munio scan --server "npx @foo/mcp-server" # scan a live server
munio scan --file tools.json # scan exported schemas
munio scan # auto-discover from IDE configs
munio scan --details # show affected tools and fixes
munio scan --format sarif --output report.sarif # SARIF 2.1.0 for CI
8 analysis layers: L1 Schema, L2 Heuristic, L2.5 ML Classifier, L2.6 Multilingual ML, L3 Static, L4 Z3 Formal, L5 Compositional, L7 Source.
Scan config files
Finds hardcoded credentials, unpinned dependencies, and supply chain risks in Claude Desktop, Cursor, VS Code, Windsurf, Cline, and Junie configs. No server connections needed.
munio config-scan # auto-discover all IDE configs
munio config-scan --config file.json # scan a specific config
Detect cross-server attack chains
munio compose --schemas-dir ./schemas # analyze pre-fetched schemas
munio compose --format markdown # generate CVE filing drafts
Protect at runtime
Intercept every tool call before execution. No code changes.
munio init # wrap all MCP servers in IDE configs
munio status # check protection status
munio restore # remove wrapper
After munio init, every tools/call is verified against YAML constraints. Dangerous calls are blocked before reaching the server.
Constraint example
name: block-dangerous-urls
action: http_request
check:
type: denylist
field: url
values: ["evil.com", "169.254.169.254"]
match: contains
on_violation: block
severity: critical
8 check types: denylist, allowlist, threshold, regex_deny, regex_allow, composite, rate_limit, sequence_deny.
Python API
from munio import Guard
guard = Guard(constraints="generic")
result = guard.check({"tool": "http_request", "args": {"url": "https://evil.com"}})
# result.allowed = False
Adapters for LangChain, CrewAI, OpenAI Agents SDK, and MCP. See docs.
How it works
| Tier | What | Backend | Latency |
|---|---|---|---|
| 1 | Denylists, allowlists, regex, thresholds | Pure Python | <0.01ms |
| 2 | Multi-variable arithmetic | Z3 subprocess | 5-100ms |
| 3 | Complex constraints | Z3 full | 100ms-5s |
| 4 | Deploy-time policy verification | Z3 offline | per deploy |
Tier 1 handles 90-95% of constraints. Z3 is optional (pip install "munio[z3]").
All commands
| Command | What |
|---|---|
munio scan |
Scan MCP server tool schemas |
munio config-scan |
Scan config files for supply chain risks |
munio compose |
Detect cross-server attack chains |
munio init / status / restore |
Manage runtime protection |
munio gate -- CMD |
Proxy a single MCP server |
munio check JSON |
Verify a single action |
munio serve |
HTTP API server |
munio policy |
Deploy-time Z3 policy verification |
munio download-models |
Download ML classifier models |
Development
git clone https://github.com/munio-dev/munio.git && cd munio
make install # uv sync + pre-commit hooks
make test # 3900+ tests
make ci # lint + typecheck + tests + coverage
License
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file munio-0.1.0.tar.gz.
File metadata
- Download URL: munio-0.1.0.tar.gz
- Upload date:
- Size: 515.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b94b605541693085c8d96b51882e71bf96636071c34d9d738d13cc186d1d7d33
|
|
| MD5 |
28bf3ca8a33185254d1ebad762b277a1
|
|
| BLAKE2b-256 |
e1330e69999103810cf0fd5b4f902c9418c251fb46439f73966947defad26191
|
File details
Details for the file munio-0.1.0-py3-none-any.whl.
File metadata
- Download URL: munio-0.1.0-py3-none-any.whl
- Upload date:
- Size: 274.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d6ae31ff8f9b2402801da208ed6ee5fc02247828193e55287608598e3d83a53d
|
|
| MD5 |
c024d5f04166121d45056c50a2361a08
|
|
| BLAKE2b-256 |
01ae0d2f71f147730ee17cd11e6ffc93be06ae70bb1ea5e612f249fd2c36e5b8
|