MCP Context Protector MCP Server

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.
1

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal
git clone https://github.com/trailofbits/mcp-context-protector
cd mcp-context-protector
uv sync
2

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal
claude mcp add mcp-context-protector -- node "<FULL_PATH_TO_MCP_CONTEXT_PROTECTOR>/dist/index.js"

Replace <FULL_PATH_TO_MCP_CONTEXT_PROTECTOR>/dist/index.js with the actual folder you prepared in step 1.

README.md

A security wrapper for MCP servers that provides trust-on-first-use pinning.

mcp-context-protector

Overview

mcp-context-protector is a security wrapper for MCP servers that addresses risks associated with running untrusted MCP servers, including line jumping, unexpected server configuration changes, and other prompt injection attacks. Implementing these security controls through a wrapper (rather than through a scanner that runs before a tool is installed or by adding security features to an MCP host app) streamlines enforcement and ensures universal compatibility with all MCP apps.

Features

  • Trust-on-first-use pinning of server configurations
  • Automatic blocking of unapproved configuration changes
  • Guardrail scanning and quarantining of tool responses
  • ANSI control character sanitization
  • Assisted editing of mcp.json files

Quickstart

Installation:

# Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
# Download mcp-context-protector
git clone https://github.com/trailofbits/mcp-context-protector
# Install dependencies
cd mcp-context-protector
uv sync

To make it easier to launch mcp-context-protector, we recommend updating mcp-context-protector.sh to contain the full path to uv. Some MCP clients, including Claude Desktop, replace the PATH environment variable with a minimal set of paths when launching MCP servers, which can make your claude_desktop_config.json file unwieldy and hard to maintain. Including a full path to uv in the launcher helps mitigate this problem.

Now configure your client to run your MCP servers through mcp-context-protector, and tool configuration pinning will automatically be enabled. Here's a sample Claude Desktop config:

{
  "mcpServers": {
    "wrapped_acme_server": {
      "command": "/path/to/mcp-context-protector/mcp-context-protector.sh",
      "args": ["--command", "/path/to/node /path/to/acme/server.js"]
    }
  }
}

Alternatively, use --command-args to have mcp-context-protector concatenate all arguments that follow into one command string:

{
  "mcpServers": {
    "wrapped_acme_server": {
      "command": "/path/to/mcp-context-protector/mcp-context-protector.sh",
      "args": ["--command-args", "/path/to/node", "/path/to/acme/server.js", "--acme-enhanced"]
    }
  }
}

TL;DR: use --command-args if your MCP client mangles your stdio server command, but be careful with escaping of shell metacharacters.

Longer explanation: Some clients (including, as of this writing, Cursor) will construct their MCP server commands by concatenating the arguments together into a space-delimited string. That is, mcp-context-protector.sh --command "cmd arg1 arg2 --arg3" will become mcp-context-protector.sh --command cmd arg1 arg2 --arg3, and mcp-context-protector will think arg1 through --arg3 are meant as arguments to the wrapper, not to the child command. The --command-args option addresses this issue.

Security risks and controls

Risk Relevant control
Line jumping Server configuration blocking, approval and pinning; guardrail evaluation of server instructions and tool descriptions
Server configuration changes/rug pulls Server configuration pinning
User deception through ANSI control characters ANSI control character sanitization
Other prompt injection attacks Tool response guardrails and quarantining

Server configuration pinning

mcp-context-protector uses a trust-on-first use pinning system for MCP server configurations. Any deviation from the approved/known-good server configuration will block downstream tool calls until the user explicitly approves the changed server configuration. Server approval is handled through mcp-context-protector's command-line interface.

Server configuration comparisons compare server instructions, tool descriptions, and tool input schemas to determine whether a server configuration is equivalent to any approved one. Comparisons are semantic and ignore irrelevant factors like tool order and parameter order.

The database of server configurations is stored in a JSON-encoded file whose default location is ~/.mcp-context-protector/servers.json. If a server configuration is in that file, it's approved and will run without tool blocking and without requiring user approval. The wrapper server checks downstream server configurations as soon as the connection is initiated and again whenever the wrapper receives a notification that the downstream server's tools have changed (notifications/tools/list_changed).

Servers are uniquely identified in this file by their type and an identifier, which is either a URL or the command string that launches the server. mcp-context-protector does not care about changes to a server's name in the host app's configuration (such as the claude_desktop_config.json file). If the command string (or URL) is unchanged, it's treated as the same server, and if the command string has changed, even in inconsequential ways, it's treated as a different

Configuration

claude_desktop_config.json
{
  "mcpServers": {
    "wrapped_acme_server": {
      "command": "/path/to/mcp-context-protector/mcp-context-protector.sh",
      "args": ["--command", "/path/to/node /path/to/acme/server.js"]
    }
  }
}

Try it

Secure my existing MCP server configuration by wrapping it with the context protector.
Check if my current MCP server configuration has been modified or tampered with.
Review the guardrail status for the tools provided by my connected MCP servers.

Frequently Asked Questions

What are the key features of MCP Context Protector?

Trust-on-first-use pinning of server configurations. Automatic blocking of unapproved configuration changes. Guardrail scanning and quarantining of tool responses. ANSI control character sanitization. Assisted editing of mcp.json files.

What can I use MCP Context Protector for?

Protecting against prompt injection attacks in untrusted MCP servers. Preventing unexpected server configuration changes or 'rug pulls'. Mitigating line jumping risks by validating server instructions and tool descriptions. Sanitizing ANSI control characters to prevent user deception.

How do I install MCP Context Protector?

Install MCP Context Protector by running: git clone https://github.com/trailofbits/mcp-context-protector && cd mcp-context-protector && uv sync

What MCP clients work with MCP Context Protector?

MCP Context Protector works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep MCP Context Protector docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all ai-tools servers →

Related MCP Servers

Skill Seekers
The data layer for AI systems.
ai-tools11.1K stars
Context Mode
The other half of the context problem.
ai-tools5.6K stars
Semiotic
A React data visualization library designed for AI-assisted development.
ai-tools2.6K stars
RocketRide
Self-hosted, open-source AI pipeline platform for MCP tools
ai-tools1.6K stars
Context+
Semantic Intelligence for Large-Scale Engineering.
ai-tools1.5K stars
ShipSwift
AI-native SwiftUI component library — production-ready code for LLMs
ai-tools1.3K stars