Open source · MIT licensed · v0.2.0

Security for the protocol Anthropic refused to secure.

In April 2026, security researchers disclosed a critical RCE vulnerability in Anthropic's Model Context Protocol — affecting 150 million SDK downloads and 200,000+ vulnerable production servers. Anthropic confirmed the behavior is by design and stated that sanitization is the developer's responsibility. We took that seriously.

Get the scanner Join Runtime waitlist
$ pip install aegibit-mcp-shield
200,000+
production MCP servers vulnerable to RCE in the April 2026 disclosure
150M
downloads of Anthropic's MCP SDKs across affected language ecosystems
9 / 11
public MCP registries successfully poisoned in proof-of-concept attacks
0
vendor patches issued. Anthropic's response: "by design — developer's responsibility."
The product

Two layers of defense. One mission.

A free open-source scanner that catches MCP security issues at the schema and configuration layer, and a commercial runtime that watches every live tool call in production — with the audit trail your auditors actually accept.

Free · MIT
Scanner

Static analysis of any MCP tool manifest or server config. Detects tool poisoning, prompt injection, hidden-Unicode steganography, dangerous schemas, embedded secrets, unsafe stdio launch patterns, and insecure HTTP transports. One command, JSON or text output, exits non-zero on critical findings — drop it directly into CI.

Coming soon · Free tier + paid
Runtime

Sits inline on production MCP traffic. Enforces policy in real time. Logs every tool call to a tamper-evident audit trail. Pauses high-risk actions for human approval. Slack and PagerDuty alerts on suspicious activity. Free tier for solo developers, paid tiers for teams.

Q3 2026
Compliance Reports

One-click audit reports for SOC 2, ISO 42001, and India's DPDP Act. Maps every agent action to the controls your auditors care about. Built for Indian SaaS exporters and global mid-market.

v0.2.0 · five checks shipped

Every layer. Every attack class.

The scanner ships with five real security checks across two manifest shapes — the tool surface (what your agent sees) and the server surface (how your agent connects). Every finding is actionable, every detail tells you what to fix.

AEG-MCP-001
Tool poisoning detection
Target: tool manifest
  • Hidden Unicode characters in tool name or description — zero-width chars, U+E0000 tag chars CRITICAL
  • Prompt injection patterns — "ignore previous instructions", system-prompt markers HIGH
  • Dangerous capability exposure — exec / shell / eval / subprocess in tool definitions HIGH
  • Suspiciously long descriptions hiding instructions in walls of text MEDIUM
AEG-MCP-002
Schema hardness audit
Target: tool manifest
  • Path-like parameters without validation — directory traversal risk HIGH
  • URL-like parameters without scheme/host constraints — SSRF risk HIGH
  • Tool with no inputSchema at all — agent has no contract to validate against HIGH
  • Unbounded strings with no pattern, enum, or maxLength MEDIUM
  • Object schemas without additionalProperties:false — parameter smuggling LOW
AEG-MCP-003
Secret exposure detection
Target: tool manifest
  • AWS Access Keys, GitHub PATs, Stripe keys, Slack tokens CRITICAL
  • OpenAI / Anthropic / Google API keys, JWT tokens, PEM private keys CRITICAL
  • Generic password=, api_key=, Bearer … patterns HIGH
  • Recursive scan over the entire raw manifest — catches secrets in defaults, examples, enum values
  • Redacted previews only — full credentials are never echoed in logs
AEG-MCP-004
STDIO launch hardening
Target: server config
  • Unpinned package runners (npx / uvx / pipx / bunx) — supply chain risk CRITICAL
  • Shell wrappers (bash -c, cmd /c, powershell -c) — RCE surface CRITICAL
  • Executables in user-writable locations (/tmp/, ~/Downloads/) HIGH
  • Credential-shaped env var names passed to the server MEDIUM
AEG-MCP-005
Transport security
Target: server config
  • Plain HTTP to non-localhost — cleartext MCP traffic CRITICAL
  • Userinfo embedded in URL (https://u:p@host) — credentials in every log CRITICAL
  • Disabled TLS validation hints — insecure:true, verify_tls:false HIGH
  • URL fails to parse — silent misconfiguration MEDIUM
Live mode

Static analysis is not enough. So we ship live-probe.

Static checks read the blueprints. Live-probe sends an actual auditor: it spawns the MCP server (or connects over HTTPS), calls initialize + tools/list, and runs every tool check on the response your agent will actually see.

Stdio and HTTP transports both supported. Stdlib-only client — no new runtime dependencies, no hidden network calls, no surprises.

aegibit-mcp probe — production-mcp.example.com
$ aegibit-mcp probe --url https://mcp.example.com/v1 \ --header "Authorization=Bearer $TOKEN" [!] probe mode launches/connects to the target MCP server. Only probe servers you trust. [+] connected. Server returned 12 tool(s). ============================================================== AEGIBIT MCP Shield v0.2.0 — scan results ============================================================== Total findings: 3 CRITICAL: 1 HIGH: 2 MEDIUM: 0 LOW: 0 INFO: 0 -------------------------------------------------------------- [CRITICAL] AEG-MCP-001 — Hidden Unicode in tool description Tool: list_files Detail: Found U+200B ZERO WIDTH SPACE — known tool-poisoning steganography vector. [HIGH ] AEG-MCP-002 — Path-like parameter without validation: 'path' Tool: read_file Detail: Risk: directory traversal (e.g., '../../etc/passwd'). [HIGH ] AEG-MCP-003 — Possible secret exposed: AWS Access Key ID Tool: deploy Detail: Sample (redacted): AKIA...MPLE (len=20). -------------------------------------------------------------- EXIT_CODE=1 (CI/CD blocks the deploy)

Get early access to the Runtime.

The open-source scanner is yours to use today. Drop your email and we'll let you know when the Runtime alpha opens — typically a 2–3 week wait.

No spam. No retargeting pixels. Unsubscribe with one click.

FAQ

Questions we get. Answers we give.

Is the scanner really free forever?
Yes. MIT-licensed, no asterisks. We will not retroactively gate features behind a paid tier. The Runtime is what we charge for — the scanner is the work the world needs done either way.
How does the Runtime differ from the scanner?
The scanner does static analysis on tool manifests and server configs. The Runtime does inline runtime enforcement on live MCP traffic — policy, audit trail, approval workflows. Different jobs.
Is this Anthropic-only?
No. MCP is a protocol — the scanner and Runtime work with any MCP server, regardless of which vendor ships the client (Claude Desktop, Cursor, Windsurf, VS Code, Gemini-CLI, GitHub Copilot, custom).
How do you handle compliance — SOC 2, ISO 27001, ISO 42001, DPDP?
The Runtime's audit trail is built to satisfy each of these frameworks' evidence requirements. The dedicated Compliance Reports module ships Q3 2026.
Is this venture-backed?
No. AEGIBIT is bootstrapped. We will not raise capital that compromises our security-first focus.
Where are you based?
India, with a global focus.
How do I report a vulnerability you missed?
Email contact@aegibit.com or open a GitHub security advisory. We respond within 24 hours.