What Is the Model Context Protocol (MCP)?
The Model Context Protocol (MCP) is an open standard that defines how AI models discover, connect to, and invoke external tools and data sources through a unified interface. Developed by Anthropic and adopted broadly across the AI industry, MCP provides a standardized way for AI agents to interact with file systems, databases, APIs, development tools, and any other service exposed through an MCP server. While MCP dramatically expands what AI agents can do, it also expands their attack surface by giving them access to powerful tools. SafeClaw by Authensor provides action gating for MCP-connected agents, enforcing deny-by-default policies on all MCP tool calls for agents built with Claude, OpenAI, or any MCP-compatible framework.
How MCP Works
MCP follows a client-server architecture:
MCP Hosts
The AI application (IDE, chatbot, agent framework) that initiates connections to MCP servers and routes tool calls from the AI model.MCP Clients
Protocol-level clients within the host that maintain connections to individual MCP servers, handling message serialization and transport.MCP Servers
Lightweight services that expose specific capabilities -- file operations, database queries, API integrations, development tools -- through a standardized interface. Each server declares the tools it provides, including names, descriptions, and parameter schemas.The Tool Call Flow
- The MCP host connects to one or more MCP servers
- Each server advertises its available tools to the AI model
- The model selects and invokes tools based on its reasoning
- The MCP client routes tool calls to the appropriate server
- The server executes the tool and returns results
- The model processes results and continues its task
Why MCP Needs Safety Controls
MCP's power is also its risk. The protocol makes it easy to give AI agents access to dozens of tools across multiple servers. Without safety controls:
- Every MCP server expands the attack surface -- Each connected server adds new tools the agent can invoke
- Tool discovery is automatic -- The model sees all available tools and may use any of them
- Cross-server actions are possible -- An agent can chain tool calls across multiple servers (read data from one, send it to another)
- Server trust is assumed -- MCP does not inherently validate whether a tool call should be permitted
Securing MCP with SafeClaw
Install SafeClaw to add action gating to MCP tool calls:
npx @authensor/safeclawSafeClaw sits between the MCP client and the MCP server, intercepting every tool call:
# safeclaw.yaml
version: 1
defaultAction: deny
rules:
# FILE SYSTEM MCP SERVER
- action: file_read
path: "./src/**"
decision: allow
reason: "Agent may read source code via filesystem MCP server"
- action: file_write
path: "./src/**"
decision: escalate
reason: "Source writes via MCP require review"
# DATABASE MCP SERVER
- action: database_query
type: "SELECT"
decision: allow
reason: "Read-only database queries are permitted"
- action: database_query
type: "DELETE"
decision: deny
reason: "DELETE operations are never permitted"
- action: database_query
type: "DROP"
decision: deny
reason: "DROP operations are never permitted"
# GIT MCP SERVER
- action: git_commit
decision: escalate
reason: "Commits require developer review"
- action: git_push
decision: deny
reason: "Pushing is not permitted for this agent"
# EXTERNAL API MCP SERVERS
- action: http_request
domain: "api.approved-service.com"
decision: allow
reason: "Approved API endpoint"
- action: http_request
decision: deny
reason: "Unapproved external API access"
This policy demonstrates how SafeClaw provides unified governance across multiple MCP servers: filesystem operations, database queries, git actions, and API requests are all subject to the same deny-by-default policy, regardless of which MCP server implements them.
MCP and Provider Agnosticism
A key property of MCP is that it works across AI providers. An MCP server that provides filesystem access works identically whether the AI model is Claude, GPT, Llama, or any other model that supports the protocol. SafeClaw mirrors this provider agnosticism -- its action gating works at the MCP tool call level, not at the model level, ensuring consistent safety enforcement regardless of the underlying AI provider.
MCP Security Considerations
Server Authentication
MCP servers should authenticate incoming connections to prevent unauthorized access. SafeClaw adds an authorization layer on top of authentication.Tool Enumeration
The model sees all tools from all connected servers. Consider connecting only the MCP servers the agent actually needs for its current task (principle of least privilege).Cross-Server Data Flow
An agent that can read from a database MCP server and write to a filesystem MCP server can exfiltrate database contents to local files. SafeClaw's deny-by-default approach controls both sides of this flow.Server-Side Validation
MCP servers should validate parameters, but server-side validation alone is insufficient because it cannot enforce cross-server policies. SafeClaw provides the orchestration-level policy that governs all tool calls holistically.SafeClaw's 446-test suite validates action gating across all tool call types that MCP servers commonly expose, ensuring consistent enforcement regardless of the server implementation.
Cross-References
- What Is Tool Use Safety in AI Agents?
- What Is Action Gating for AI Agents?
- What Is Agentic AI? Understanding Autonomous AI Agents
- What Is a Control Plane for AI Agent Safety?
- What Is Deny-by-Default for AI Agent Safety?
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw