Hi HN,<p>MCP Defender is an open source desktop app that automatically proxies your MCP traffic in AI apps like Cursor, Claude, Windsurf and VSCode. It then scans all requests and responses between the apps and the MCP tools they call. If it detects anything malicious, it alerts you and lets you allow or block the tool call.<p>While the threat landscape of MCP is still being actively researched, there are dangerous things that MCP Defender can block today. For example, a developer asks Cursor to fix a Github issue with an attached crash log. However, the Github issue was created by an attacker who included secret instructions buried in the crash log. These instructions tell Cursor to send the developer’s SSH keys to a server the attacker controls. MCP Defender detects these malicious instructions and alerts the developer who otherwise may not be careful in running tool calls.<p>The scanning is currently done via an LLM and checks for things like prompt injection, credential theft (ssh keys, tokens) and arbitrary code execution. You can use an MCP Defender account or provide your own API keys for LLM providers to perform the scanning.<p>Currently we’ve published a beta Mac build and we’ll soon publish builds for Windows and Linux as well.<p>Any feedback would be greatly appreciated.<p>Thanks!
This looks interesting, but anytime security is offloaded to an LLM I am extremely skeptical. IMO the right way to do this is to enforce permissions explicitly through a AuthZ policy. Something like what Toolhive [0] is doing is the right way I think.<p>All MCP comms from client to server go through an SSE proxy which has AuthN and AuthZ enabled. You can create custom policies for AuthZ using Cedar [1].<p>[0] <a href="https://github.com/stacklok/toolhive">https://github.com/stacklok/toolhive</a>, <a href="https://github.com/stacklok/toolhive/blob/main/docs/authz.md">https://github.com/stacklok/toolhive/blob/main/docs/authz.md</a><p>[1] <a href="https://docs.cedarpolicy.com/" rel="nofollow">https://docs.cedarpolicy.com/</a>
If your application can be significantly diverted from its intended purpose by the presence of instructions in a normal input file, your application is unsuitable for production workloads.<p>This feels like installing an "antivirus" addon into wordpress instead of updating php.
What’s to stop an attacker from using prompt injection against this firewall? I don’t understand how your AI is anymore secure than the AI it’s protecting
I know I'm being extremely ignorant here, you are seeing my thought process live, but antivirus/firewall for AI? I'm sure the likes of Bitdefender etc. will start including something like this if it's real. I just can't believe any of this is real. After computers and phone, is AI the next market for antiviruses, 1 click optimizing tools and registry cleaners?<p>Kudos to you for making something, but if this is the next gold rush I want a piece of it too. Never took this AI, mcp, cursor business seriously because I thought of them as just poor boiler plates for web dev. I was wrong.
How are you intercepting the huge variety of network calls and range of protocols that a local MCP service can make? Are you between the client and process? Or do you only support remote MCP?