use case

MCP server security: put a gate in front of the tools your agent can call

the short answer

MCP servers expose tools that an AI agent can call directly — including destructive ones like deleting records, dropping tables, or running shell commands — and because the agent decides when to call them, the safety question is at the call site; routing the agent's MCP traffic through agent·shield lets you forward safe tool calls instantly and hold destructive ones for human approval, with every call logged.

The Model Context Protocol made it easy to give agents real capabilities: connect an MCP server and the agent can suddenly query your database, hit your APIs, manage files, or run commands. That's the appeal and the risk in one move — every tool you expose is a tool the agent can decide to call, including the ones that delete, drop, and overwrite.

MCP itself is a connection standard, not a safety system. Whether a given tool call is a good idea is left to the agent's judgment, which is exactly the thing you can't fully trust. This page is about adding a control layer in front of MCP tool calls so that the destructive ones don't execute on the model's say-so alone.

at the call sitethe dangerous moment is when the agent invokes a tool — that's where agent·shield places the gate
open agent·shieldabout agent·shield

MCP gives reach; it doesn't give judgment

An MCP server's job is to expose tools and route calls to them. It does that well, and deliberately doesn't take a position on whether a particular call should happen — that's the agent's decision. So the security model of "agent + MCP server" is really just the agent's judgment, and an agent's judgment is a probabilistic model that can be injected, confused, or simply mistaken. The more powerful the tools you connect, the more a single bad call can cost.

This is the same problem agents have everywhere, sharpened by how easy MCP makes it to grant power. Connect a database tool and a wrong call drops a table. Connect a shell tool and a wrong call runs rm -rf. The tools are doing exactly what they were built to do; the question is whether you want them firing the instant the model decides, with nothing in between.

A proxy in front of the tool calls

Because MCP tool calls travel over HTTP, you can put a transparent proxy in their path. agent·shield sits between the agent and the server it calls, inspecting each request — method, path, and body — against your policies. Safe tool calls (reads, lookups, routine writes) are forwarded instantly, so the agent uses its tools at full speed. Calls that match a destructive pattern are held in an approval queue, and a person approves or denies before the tool ever runs.

The integration is the deliberately boring part: you point the agent's outbound base URL at agent·shield rather than at the tool endpoint directly, and nothing about the agent or the MCP setup has to change. No SDK, no wrapping each tool with a confirmation step, no fork of the server. The gate is infrastructure in front of the tools, which means it covers every tool the traffic flows through, including ones you add later.

Know exactly what your tools were asked to do

When an agent has a pile of connected tools, the scariest question is the vague one: what has it actually been doing with them? agent·shield answers it concretely. Every tool call — forwarded, blocked, held, approved, denied — is written to an append-only audit log with the full request, the policy it matched, who decided, and when. You can reconstruct precisely which tools were invoked, with what arguments, and what was allowed.

That record also makes it safe to expose more capability over time. Start by holding any call that looks destructive, watch the queue and the log, and relax the policies for tool calls that prove routine — tightening if something surprising shows up. To be exact about scope: agent·shield governs the MCP and tool traffic you route through it, so point those calls at the proxy and that's the set it protects. It's a control layer on tool use, not a replacement for the server's own auth.

how it works

  1. 01

    Inventory your connected tools

    List the MCP tools the agent can call and flag the destructive ones — delete, drop, overwrite, shell execution, anything irreversible.

  2. 02

    Proxy the agent's tool traffic

    Point the agent's outbound base URL at agent·shield instead of straight at the tool endpoints. No SDK and no changes to the MCP server.

  3. 03

    Write policies for the risky calls

    Express the destructive tool calls as policies — regex over method, path, and body. Matching calls are held; everything else forwards instantly.

  4. 04

    Approve or deny held tool calls

    Review each held call with full context and approve (it forwards to the tool) or deny (the tool never runs).

  5. 05

    Audit and expand safely

    Use the append-only log to see exactly which tools were called and how, then relax policies for routine calls and keep the gate on the dangerous ones.

frequently asked

Doesn't MCP already handle security?
MCP is a protocol for connecting tools to agents, not a policy engine. It handles transport and tool discovery; it doesn't decide whether a given tool call is safe to run. agent·shield adds that decision in front of the calls, holding destructive ones for human approval.
Do I have to modify my MCP server to add agent·shield?
No. agent·shield is a transparent proxy — you route the agent's outbound traffic through it and leave the MCP server alone. There's no SDK, no fork, and no per-tool confirmation code to write.
Which MCP tool calls get held?
Whichever you flag as destructive in policy: deletes, drop-table, overwrites, shell execution, and similar irreversible calls. agent·shield matches on method, path, and body, so you control exactly which tool invocations need a human.
Can I see a history of every tool the agent called?
Yes. Every tool call that passes through agent·shield — forwarded, blocked, held, approved, or denied — is recorded in an append-only audit log with the full request, the matched policy, the actor, and the timestamp.

Published May 26, 2026 · Last updated June 13, 2026

more on agent·shield

agent·shielda human in the loop for your ai agents

ready to try agent·shield?

open agent·shield