Skip to main content

AI agent security toolkit — scan MCP servers, guard tool calls

Project description

[m] munio
Security scanner and runtime guard for AI agent tool calls

License Python 3.10+


AI agents call external tools — MCP servers, OpenClaw skills, API endpoints. A malicious or poorly-written tool can exfiltrate your data, execute arbitrary commands, or chain actions into multi-step attacks. munio catches these issues before they reach your agent.

munio scan demo

pipx install munio
munio config-scan

For deep tool schema analysis:

munio scan --server "npx @modelcontextprotocol/server-filesystem /tmp"

No MCP servers? Try the bundled example:

munio scan --file examples/vulnerable-server.json --details

Why scan MCP servers?

The same vulnerability classes that led to 512 findings in Copilot extensions and 820+ malicious OpenClaw skills -- path traversal, command injection, SSRF, prompt injection -- exist in every AI tool-calling ecosystem. MCP servers, OpenClaw skills, and framework-integrated tools share the same attack surface.

munio was built by scanning 700+ public MCP servers and responsibly disclosing the vulnerabilities found. It works with MCP, OpenClaw, LangChain, CrewAI, and OpenAI Agents SDK.

What it catches

Category Examples How
Path traversal ../../etc/passwd in file parameters Schema analysis + Z3 formal proof
SSRF http://169.254.169.254 in URL parameters Pattern matching + Z3 proof
Command injection ; rm -rf / in shell parameters Denylist + regex + Z3 proof
Prompt injection Hidden instructions in tool descriptions ML classifier (188 languages)
Data exfiltration read_file + http_request = stolen secrets Compositional flow analysis
Supply chain Unpinned npm deps, hardcoded API keys in config Config file scanner

Installation

pipx install munio          # CLI (recommended)
pip install munio            # library
pip install "munio[z3]"      # with formal verification
pip install "munio[all]"     # everything

Scan MCP servers

munio scan --server "npx @foo/mcp-server"       # scan a live server
munio scan --file tools.json                     # scan exported schemas
munio scan                                       # auto-discover from IDE configs
munio scan --details                             # show affected tools and fixes
munio scan --format sarif --output report.sarif  # SARIF 2.1.0 for CI

8 analysis layers: L1 Schema, L2 Heuristic, L2.5 ML Classifier, L2.6 Multilingual ML, L3 Static, L4 Z3 Formal, L5 Compositional, L7 Source.

Scan config files

Finds hardcoded credentials, unpinned dependencies, and supply chain risks in Claude Desktop, Cursor, VS Code, Windsurf, Cline, and Junie configs. No server connections needed.

munio config-scan                    # auto-discover all IDE configs
munio config-scan --config file.json # scan a specific config

munio config-scan demo

Detect cross-server attack chains

munio compose --schemas-dir ./schemas  # analyze pre-fetched schemas
munio compose --format markdown        # generate CVE filing drafts

Protect at runtime

Intercept every tool call before execution. No code changes.

munio init      # wrap all MCP servers in IDE configs
munio status    # check protection status
munio restore   # remove wrapper

After munio init, every tools/call is verified against YAML constraints. Dangerous calls are blocked before reaching the server.

Constraint example

name: block-dangerous-urls
action: http_request
check:
  type: denylist
  field: url
  values: ["evil.com", "169.254.169.254"]
  match: contains
on_violation: block
severity: critical

8 check types: denylist, allowlist, threshold, regex_deny, regex_allow, composite, rate_limit, sequence_deny.

Python API

from munio import Guard

guard = Guard(constraints="generic")
result = guard.check({"tool": "http_request", "args": {"url": "https://evil.com"}})
# result.allowed = False

Adapters for LangChain, CrewAI, OpenAI Agents SDK, and MCP. See docs.

How it works

Tier What Backend Latency
1 Denylists, allowlists, regex, thresholds Pure Python <0.01ms
2 Multi-variable arithmetic Z3 subprocess 5-100ms
3 Complex constraints Z3 full 100ms-5s
4 Deploy-time policy verification Z3 offline per deploy

Tier 1 handles 90-95% of constraints. Z3 is optional (pip install "munio[z3]").

All commands

Command What
munio scan Scan MCP server tool schemas
munio config-scan Scan config files for supply chain risks
munio compose Detect cross-server attack chains
munio init / status / restore Manage runtime protection
munio gate -- CMD Proxy a single MCP server
munio check JSON Verify a single action
munio serve HTTP API server
munio policy Deploy-time Z3 policy verification
munio download-models Download ML classifier models

Development

git clone https://github.com/munio-dev/munio.git && cd munio
make install    # uv sync + pre-commit hooks
make test       # 3900+ tests
make ci         # lint + typecheck + tests + coverage

License

Apache 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

munio-0.1.1.tar.gz (516.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

munio-0.1.1-py3-none-any.whl (274.8 kB view details)

Uploaded Python 3

File details

Details for the file munio-0.1.1.tar.gz.

File metadata

  • Download URL: munio-0.1.1.tar.gz
  • Upload date:
  • Size: 516.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for munio-0.1.1.tar.gz
Algorithm Hash digest
SHA256 d9dff66a72ee96fde7eebba50b9fdfbb84899013fe2c78c73d71baf898158570
MD5 75225cfdaca0521cb9ef4c49a1b02257
BLAKE2b-256 ea36c419ccbdbff9f46859bce68da1425322e1149b46dafef94780ad653a1f83

See more details on using hashes here.

Provenance

The following attestation bundles were made for munio-0.1.1.tar.gz:

Publisher: release.yml on munio-dev/munio

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file munio-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: munio-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 274.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for munio-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 241d34b123a2bc28216a0b0617be3f93728c3342a677f352a4de2b2b2add46e2
MD5 b7fc82dee5ebc5095eadee65282e9e89
BLAKE2b-256 8becaa0b4da5fef920593eea80ffb1492b1eabc36f2345f0319b316585737191

See more details on using hashes here.

Provenance

The following attestation bundles were made for munio-0.1.1-py3-none-any.whl:

Publisher: release.yml on munio-dev/munio

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page