Skip to main content

AI agent security toolkit — scan MCP servers, guard tool calls

Project description

[m] munio
Security scanner and runtime guard for AI agent tool calls

License Python 3.10+


AI agents call external tools — MCP servers, OpenClaw skills, API endpoints. A malicious or poorly-written tool can exfiltrate your data, execute arbitrary commands, or chain actions into multi-step attacks. munio catches these issues before they reach your agent.

munio scan demo

pipx install munio
munio config-scan

For deep tool schema analysis:

munio scan --server "npx @modelcontextprotocol/server-filesystem /tmp"

No MCP servers? Try the bundled example:

munio scan --file examples/vulnerable-server.json --details

Why scan MCP servers?

The same vulnerability classes that led to 512 findings in Copilot extensions and 820+ malicious OpenClaw skills -- path traversal, command injection, SSRF, prompt injection -- exist in every AI tool-calling ecosystem. MCP servers, OpenClaw skills, and framework-integrated tools share the same attack surface.

munio was built by scanning 700+ public MCP servers and responsibly disclosing the vulnerabilities found. It works with MCP, OpenClaw, LangChain, CrewAI, and OpenAI Agents SDK.

What it catches

Category Examples How
Path traversal ../../etc/passwd in file parameters Schema analysis + Z3 formal proof
SSRF http://169.254.169.254 in URL parameters Pattern matching + Z3 proof
Command injection ; rm -rf / in shell parameters Denylist + regex + Z3 proof
Prompt injection Hidden instructions in tool descriptions ML classifier (188 languages)
Data exfiltration read_file + http_request = stolen secrets Compositional flow analysis
Supply chain Unpinned npm deps, hardcoded API keys in config Config file scanner

Installation

pipx install munio          # CLI (recommended)
pip install munio            # library
pip install "munio[z3]"      # with formal verification
pip install "munio[all]"     # everything

Scan MCP servers

munio scan --server "npx @foo/mcp-server"       # scan a live server
munio scan --file tools.json                     # scan exported schemas
munio scan                                       # auto-discover from IDE configs
munio scan --details                             # show affected tools and fixes
munio scan --format sarif --output report.sarif  # SARIF 2.1.0 for CI

8 analysis layers: L1 Schema, L2 Heuristic, L2.5 ML Classifier, L2.6 Multilingual ML, L3 Static, L4 Z3 Formal, L5 Compositional, L7 Source.

Scan config files

Finds hardcoded credentials, unpinned dependencies, and supply chain risks in Claude Desktop, Cursor, VS Code, Windsurf, Cline, and Junie configs. No server connections needed.

munio config-scan                    # auto-discover all IDE configs
munio config-scan --config file.json # scan a specific config

munio config-scan demo

Detect cross-server attack chains

munio compose --schemas-dir ./schemas  # analyze pre-fetched schemas
munio compose --format markdown        # generate CVE filing drafts

Protect at runtime

Intercept every tool call before execution. No code changes.

munio init      # wrap all MCP servers in IDE configs
munio status    # check protection status
munio restore   # remove wrapper

After munio init, every tools/call is verified against YAML constraints. Dangerous calls are blocked before reaching the server.

Constraint example

name: block-dangerous-urls
action: http_request
check:
  type: denylist
  field: url
  values: ["evil.com", "169.254.169.254"]
  match: contains
on_violation: block
severity: critical

8 check types: denylist, allowlist, threshold, regex_deny, regex_allow, composite, rate_limit, sequence_deny.

Python API

from munio import Guard

guard = Guard(constraints="generic")
result = guard.check({"tool": "http_request", "args": {"url": "https://evil.com"}})
# result.allowed = False

Adapters for LangChain, CrewAI, OpenAI Agents SDK, and MCP. See docs.

How it works

Tier What Backend Latency
1 Denylists, allowlists, regex, thresholds Pure Python <0.01ms
2 Multi-variable arithmetic Z3 subprocess 5-100ms
3 Complex constraints Z3 full 100ms-5s
4 Deploy-time policy verification Z3 offline per deploy

Tier 1 handles 90-95% of constraints. Z3 is optional (pip install "munio[z3]").

All commands

Command What
munio scan Scan MCP server tool schemas
munio config-scan Scan config files for supply chain risks
munio compose Detect cross-server attack chains
munio init / status / restore Manage runtime protection
munio gate -- CMD Proxy a single MCP server
munio check JSON Verify a single action
munio serve HTTP API server
munio policy Deploy-time Z3 policy verification
munio download-models Download ML classifier models

Development

git clone https://github.com/munio-dev/munio.git && cd munio
make install    # uv sync + pre-commit hooks
make test       # 3900+ tests
make ci         # lint + typecheck + tests + coverage

License

Apache 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

munio-0.1.0.tar.gz (515.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

munio-0.1.0-py3-none-any.whl (274.6 kB view details)

Uploaded Python 3

File details

Details for the file munio-0.1.0.tar.gz.

File metadata

  • Download URL: munio-0.1.0.tar.gz
  • Upload date:
  • Size: 515.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for munio-0.1.0.tar.gz
Algorithm Hash digest
SHA256 b94b605541693085c8d96b51882e71bf96636071c34d9d738d13cc186d1d7d33
MD5 28bf3ca8a33185254d1ebad762b277a1
BLAKE2b-256 e1330e69999103810cf0fd5b4f902c9418c251fb46439f73966947defad26191

See more details on using hashes here.

File details

Details for the file munio-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: munio-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 274.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for munio-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d6ae31ff8f9b2402801da208ed6ee5fc02247828193e55287608598e3d83a53d
MD5 c024d5f04166121d45056c50a2361a08
BLAKE2b-256 01ae0d2f71f147730ee17cd11e6ffc93be06ae70bb1ea5e612f249fd2c36e5b8

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page