ScopeBlind protect-mcp
v1.0.0MCP security gateway. Wraps any MCP server with per-tool policies, Ed25519-signed decision receipts, and human approval gates. Shadow mode logs everything wi...
⭐ 0· 112·0 current·0 all-time
byTJF@tomjwxf
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the runtime instructions: the SKILL.md shows how to run 'protect-mcp' via npx/npm, configure policies, and initialize signing. Declaring npx in metadata and using an npm install is proportionate to a CLI tool delivered via the npm ecosystem.
Instruction Scope
Instructions tell the agent to run npx protect-mcp commands that wrap a server process, generate Ed25519 keypairs, and write receipts; they do not ask for unrelated system files or credentials. However the SKILL.md does not specify where keys/receipts are stored or how long they persist, which is important because secrecy and local file writes are involved.
Install Mechanism
The install recommendation uses npm (npm install -g protect-mcp@latest) and runtime uses npx. This is a standard distribution mechanism for CLI tools but it does mean remotely-published code will be downloaded and executed on the host. No install tarball from a random URL is used, but npm packages can still contain arbitrary install scripts — verify the package source/maintainers before installing globally.
Credentials
The skill requests no environment variables or external credentials, which aligns with its intended local-proxy functionality. Caveat: the tool will generate and persist cryptographic keys and receipts locally (not declared as env/config paths), so consider where those secrets land and who can read them.
Persistence & Privilege
always:false (normal). The allowed-tools include Bash/Read/Write, which are necessary for running the proxy and creating keys/files. Installing the package globally (npm -g) writes to the system/npm directories and may require elevated permissions on some systems — run with care or use a container/virtualenv.
Assessment
This skill appears internally consistent: it’s a CLI tool distributed via npm and the SKILL.md uses npx/npm in ways that match the description. However, installing and running third-party npm packages executes remote code and the tool will generate signing keys and write receipts to disk. Before installing:
- Verify the npm package page, maintainers, and recent release history (don’t blindly run @latest).
- Inspect the package source (npm view, GitHub repo) or run it in an isolated container or VM first.
- Prefer a specific pinned version rather than @latest to avoid supply-chain surprises.
- Find out where the tool stores private keys/receipts and protect those files (restrict filesystem permissions, back them up if needed).
- Consider running 'npx protect-mcp --help' and reviewing docs on scopeblind.com and the npm listing before global install.
If you cannot verify the package authorship or are uncomfortable granting filesystem execution rights, run the tool in an isolated environment or decline installation.Like a lobster shell, security has layers — review code before you run it.
latest
protect-mcp — MCP Security Gateway
What This Skill Does
Wraps any MCP server as a transparent stdio proxy with per-tool security policies and cryptographic audit trail. Every tool call decision is logged and optionally Ed25519-signed.
Quick Start
# Shadow mode — log everything, block nothing
npx protect-mcp -- node your-server.js
# Enforce mode — apply per-tool policies
npx protect-mcp --policy policy.json --enforce -- node your-server.js
# Initialize signing (generates Ed25519 keypair)
npx protect-mcp init
Policy Example
{
"tools": {
"db_write": { "decision": "deny" },
"file_read": { "decision": "allow", "rateLimit": { "maxCalls": 30, "windowSecs": 60 } },
"deploy": { "decision": "require_approval" }
}
}
Pre-built Policy Packs
protect-mcp ships CVE-anchored policy packs:
# List available policies
npx protect-mcp policies
# Apply the Clinejection prevention policy
npx protect-mcp --policy clinejection --enforce -- node your-server.js
Verify Receipts
Receipts are independently verifiable offline — no ScopeBlind dependency:
npx @veritasacta/verify receipt.json
npx @veritasacta/verify --self-test
OWASP MCP Top 10 Coverage
| Risk | Control |
|---|---|
| MCP-01 Rug Pulls | Signed tool manifests; policy pins allowed tools |
| MCP-03 Tool Poisoning | Per-tool allow/deny/rate-limit policies |
| MCP-04 Tool Arg Injection | Argument inspection + approval gates |
| MCP-07 Auth/AuthZ | Trust-tier gating |
| MCP-08 Logging & Audit | Ed25519-signed receipts — verifiable offline |
| MCP-09 Excessive Agency | Shadow mode reveals actual tool usage |
Links
Comments
Loading comments...