← Back to Paper List

MCP Guardian: A Security-First Layer for Safeguarding MCP-Based AI System

Sonu Kumar, Anubhav Girdhar, Ritesh Patil, Divyansh Tripathi
Sporo Health, Involead, Capgemini, Indian Institute of Technology Roorkee, Arc Steam Technologies, H&R Block, Deloitte USI, Kodryx AI
Advanced Natural Language Processing 2025 (2025)
Agent Benchmark

📝 Paper Summary

Agentic AI Security Tool Integration
MCP Guardian is a middleware layer that secures AI agents using the Model Context Protocol by intercepting tool calls to enforce authentication, rate-limiting, and malicious pattern scanning.
Core Problem
The open Model Context Protocol (MCP) standardizes AI-tool interactions but lacks built-in security, leaving systems vulnerable to malicious servers, prompt injection, and data exfiltration.
Why it matters:
  • Agentic workflows autonomously interact with critical file systems and databases, creating vast attack surfaces.
  • Without protocol-level safeguards, attackers can use tool poisoning or command injection to compromise infrastructure.
Concrete Example: An attacker hides a malicious prompt in a seemingly benign addition tool's documentation (tool poisoning), tricking the AI into silently reading and exfiltrating SSH keys (e.g., ~/.ssh/id_rsa) to an external server. Current open MCP implementations blindly pass this request, whereas the proposed middleware scans and blocks it.
Key Novelty
MCP Guardian Middleware
  • Intercepts every tool call between the Artificial Intelligence (AI) client and external MCP server at a centralized choke point.
  • Applies a stack of security checks (token validation, rate limits, firewall rules) before allowing the AI to execute the requested tool.
Evaluation Highlights
  • Successfully blocked destructive system commands like 'rm -rf /' via Web Application Firewall (WAF) regex scanning
  • Effectively mitigated high-frequency abuse by enforcing a 5 request-per-minute rate limit threshold
  • Introduced minimal performance overhead, increasing median tool execution latency by only 3.8 ms
Breakthrough Assessment
7/10
Provides a practical, much-needed security layer for the emerging MCP standard, though the current regex-based WAF and localized logging require future machine-learning enhancements for complex threats.
×