/mcp

MCP security that maps to OWASP MCP Top 10.

A Clampd-guarded proxy in front of any downstream MCP server. Every tools/list and tools/call routed through the gateway: descriptor hashing for rug-pull detection, scope tokens, prompt injection detection on tool params, response-side PII scanning, full audit trail. Plug into Claude Desktop or any MCP client today.

pip install clampd python -m clampd.mcp_server --downstream "..."

Modes: stdio proxy · TS proxy Maps to: OWASP MCP Top 10 — MCP02, MCP03, MCP05, MCP06, MCP10 Verified incidents: CVE-2026-33032 · LettaAI / Windsurf · Invariant Labs GitHub MCP

The problem

The Model Context Protocol is having its npm moment. Hundreds of servers shipped, devs are wiring them in like dependencies. The default MCP trust model has known gaps catalogued by the OWASP MCP Top 10:

MCP03 — Tool poisoning (includes rug pulls, schema poisoning, tool shadowing)
MCP02 — Privilege escalation via scope creep
MCP05 — Command injection and execution
MCP06 — Intent flow subversion (indirect prompt injection through tool responses)
MCP10 — Context injection and over-sharing

Public incidents have followed: CVE-2026-33032 (CVSS 9.8) in nginx-ui exposed an unauthenticated MCP message endpoint; a design flaw affected LettaAI, LangFlow, and Windsurf in April 2026; Invariant Labs disclosed prompt-injection against the official GitHub MCP server. Independent benchmarks report tool-poisoning success rates around 84% with auto-approval enabled.

How the proxy works

LLM client (Claude Desktop, custom MCP client, etc.)
       │
       │  MCP JSON-RPC (tools/list, tools/call)
       ↓
Clampd MCP proxy
       │
       │  1. Discovers tools from downstream via tools/list
       │  2. Computes contract_hash(name, description, parameters) per tool
       │  3. Caches descriptor hashes for the session
       │  4. Forwards tools/list to client (annotated)
       │
       ↓  On tools/call:
       │
       │  POST /v1/proxy → 9-stage Clampd gateway:
       │     - Auth, rate limiting
       │     - Tool descriptor hash match (rug pull check)
       │     - Intent classification (263 rules)
       │     - Policy decision
       │     - Scope token mint (if allowed)
       │     - Audit emit
       │
       ↓  If allowed:
       │
Downstream MCP server (filesystem, github, postgres, custom)

Integration flow

Drop-in MCP proxy. Catches tool-poisoning and rug-pulls before the client sees the call.

Install + run

# Python — proxy any stdio MCP server
pip install clampd

python -m clampd.mcp_server \
  --downstream "npx -y @modelcontextprotocol/server-filesystem /tmp" \
  --agent-id "<your-agent-uuid>" \
  --gateway https://gateway.clampd.dev

# TypeScript — same idea, npm package
npm install @clampd/sdk
npx clampd-mcp --downstream "npx -y @modelcontextprotocol/server-github" \
  --agent-id "<your-agent-uuid>"

For Claude Desktop, edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or the equivalent on your platform:

{
  "mcpServers": {
    "filesystem-guarded": {
      "command": "python",
      "args": [
        "-m", "clampd.mcp_server",
        "--downstream", "npx -y @modelcontextprotocol/server-filesystem /tmp",
        "--agent-id", "<your-agent-uuid>",
        "--gateway", "https://gateway.clampd.dev"
      ]
    }
  }
}

Restart Claude Desktop. Tools that used to call the filesystem server directly now flow through Clampd. Path traversal, sensitive-file reads (.env, .ssh/), and PII patterns in tool responses are all caught before the LLM sees them.

What the proxy adds

Tool descriptor hashing

SHA-256 over (name, description, parameters) per tool, computed at session start. If a downstream server changes a schema between deploys, the hash mismatches and the gateway returns a typed descriptor_hash_mismatch: denial. Direct defence against MCP rug pulls (MCP03).

Prompt injection on tool responses

Tool responses scanned before they enter the LLM context. Catches indirect prompt injection (MCP06) where a malicious server returns content designed to subvert the calling agent's instructions.

Scope-token enforcement

Each approved tool call gets a short-lived Ed25519-signed token bound to (tool, params). Tools that verify the token via JWKS gain anti-replay against captured tokens used with different params.

Session correlation

16 cross-call patterns watch for slow-drip exfiltration, schema-recon-then-attack, sawtooth risk evasion, cross-tool bridging. Per-call inspection alone misses these by design.

Full audit trail

Every tools/call goes to ClickHouse with full descriptor, params, response metadata, matched rules, decision reasoning. Closes MCP08 (lack of audit/telemetry) at the proxy layer.

Auto tool registration

Discovered tools appear in your dashboard for category assignment. Unmapped tools get empty scopes (denied by default), so a malicious MCP server can't introduce new tools that auto-bypass policy.

Honest limits

The descriptor-hash check protects against between-session schema mutation (the dominant rug-pull attack). It doesn't, on its own, catch within-session mutation in long-lived MCP sessions; that requires re-discovering tools mid-stream, which we're working on. The proxy is also not a sandbox — once the gateway approves, the downstream server runs with whatever process privileges it has. Combine with OS-level least-privilege for full defence.

Deep-dive reading

MCP Rug Pulls: when the tool you approved isn't the tool you call — the descriptor-hash defence walked through end-to-end
Session layers: 16 patterns for multi-step agent attacks — what the cross-call detection catches that single-call misses
PII in tool calls vs PII in tool responses — why bidirectional inspection matters for MCP traffic

Plug Clampd in front of any MCP server

Works with Claude Desktop, custom MCP clients, and any stdio-based MCP server. Self-hosted gateway free for under 25 agents.

Get a gateway → All products