With the recent GitHub MCP vulnerability demonstrating how prompt injection can leverage overprivileged tokens to exfiltrate private repository data, I wanted to share our approach to MCP security through proxying.

The Core Problem: MCP tools often run with full access tokens (GitHub PATs with repo-wide access, AWS creds with AdminAccess, etc.) and no runtime boundaries. It's essentially pre-sandbox JavaScript with filesystem access. A single malicious prompt or compromised server can access everything.

Why Current Auth is Broken:

• Want to read one GitHub issue? Your token needs full repo access to ALL repositories

• OAuth 2.1 RAR could fix this but has zero adoption

• API providers have no economic incentive to implement granular, temporal scoping

MCP Snitch: An open source security proxy that implements the mediation layer MCP lacks:

• Whitelist-based access control (default deny, explicitly allow operations)

• Runtime permission requests with UI visibility

• API key detection and blocking

• Comprehensive logging of all operations

What It Doesn't Solve:

• Supply chain attacks (compromised npm/pip packages)

• Persistence mechanisms (SSH keys, cron jobs)

• Out-of-band operations (direct network calls from MCP servers)

The browser security model took 25 years to evolve from "JavaScript can delete your file" to today's sandboxed processes with granular permissions. MCP needs the same evolution but the risks are immediate. Until IDEs implement proper sandboxing and MCP gets protocol-level security primitives, proxy-based security is the practical defense.

GitHub: github.com/Adversis/mcp-snitch