A permission layer for AI agent tool calls — wrap any MCP server and enforce allow/deny/ask policy with full audit.
Project description
ShieldClaw-MCP
A permission layer for AI agent tool calls. Wrap any MCP
server so every tools/call is checked against a policy — allowed, denied,
or held for approval — and audited. We don't ask models to behave. We
technically restrict what they can do.
agent (Claude / GPT / any MCP client)
│ tools/call: shell_exec "rm -rf /"
▼
┌───────────────┐
│ ShieldClaw-MCP│ ──► 🚫 blocked by policy (never reaches the server)
└───────────────┘
│ tools/call: read_file
▼
your real MCP server
Install
pip install shieldclaw-mcp
Use
Write a policy (policy.json):
{
"default": "deny",
"rules": {
"read_file": "allow",
"web_search": "allow",
"db_delete": "deny",
"shell_exec": "deny",
"send_email": "ask",
"*_secret": "ask"
}
}
Wrap your MCP server. Wherever your agent/client launches the server, put
shieldclaw-mcp wrap in front of it:
shieldclaw-mcp wrap --policy policy.json -- python my_mcp_server.py
For example, in a Claude Desktop mcpServers config, change the command
from python my_mcp_server.py to
shieldclaw-mcp wrap --policy /path/policy.json -- python my_mcp_server.py.
Decisions
| Decision | Effect |
|---|---|
allow |
Forwarded to the server unchanged |
deny |
Blocked; the agent gets a JSON-RPC error, the server never sees it |
ask |
Blocked too (fail-closed) and tagged "requires approval" |
Rules match exact tool names first, then glob patterns (db_*, *_secret),
then fall back to default. The default default is deny.
Audit
Every decision is appended to ~/.shieldclaw-mcp/audit.jsonl. Tool
arguments are never logged in full — only a short sha256 fingerprint,
so you can correlate without leaking secrets. Set SHIELDCLAW_CONTROL_PLANE
(or --control-plane URL) to also stream events to a dashboard.
Other commands
shieldclaw-mcp check --policy policy.json shell_exec # -> deny
shieldclaw-mcp version
How it works
ShieldClaw-MCP is a transparent stdio proxy. The client launches it instead
of the real server; it spawns the real server as a child and relays the
newline-delimited JSON-RPC traffic both ways, intercepting only
tools/call. Everything else (initialize, tools/list, notifications)
passes through untouched, so it works with any compliant MCP server.
Develop
pip install -e ".[dev]"
pytest -q
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file shieldclaw_mcp-0.1.0.tar.gz.
File metadata
- Download URL: shieldclaw_mcp-0.1.0.tar.gz
- Upload date:
- Size: 10.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c9f375894df4cf2d533d923e48d76a3ab3050ea57567b3b580f59729a1caf546
|
|
| MD5 |
a6128276ebf6b93ba3c72e40c6b53ec1
|
|
| BLAKE2b-256 |
5844bd1e9ac23d55e62b0f825b1c1e21ac26a6e79b46401f86eb3ee7ae65085f
|
File details
Details for the file shieldclaw_mcp-0.1.0-py3-none-any.whl.
File metadata
- Download URL: shieldclaw_mcp-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2a0b9ac28847f724b78f0d4448bbb19d2280692fd32b6f1f7ea1714062ff859a
|
|
| MD5 |
70b6b0ad47185d15588ad98b2634ef16
|
|
| BLAKE2b-256 |
2be9d845760341646452641908b1b8785bf93e2a8d074fdc63467beb4b093093
|
