MCP安全控制 是 AI Skill Hub 本期精选MCP工具之一。综合评分 7.5 分,整体质量较高。我们推荐使用将其纳入你的 AI 工具库,帮助提升工作效率。
📚 深度解析
通过安装 MCP安全控制,你的 AI 助手将获得额外的工具调用能力,可以用自然语言直接操控该工具的功能,无需学习复杂的命令行语法。MCP 工具的核心价值在于"一次配置,永久增强"——配置完成后,每次与 AI 对话时都可以无缝调用这些工具。
在技术实现上,MCP 工具通过标准的 JSON-RPC 协议与 AI 客户端通信,工具的功能以"工具列表"的形式暴露给 AI 模型,AI 可以按需调用。MCP安全控制 提供了结构化的工具调用接口,使 AI 模型能够精确地理解和使用每个功能点,显著降低 AI 在工具使用上的错误率。
与传统的 API 集成相比,MCP 工具的优势在于无需编写代码——用户只需在配置文件中添加几行 JSON,即可让 AI 获得全新能力。AI Skill Hub 将 MCP安全控制 评为 AI 评分 7.5 分,属于同类工具中的优质选择。
📋 工具概览
MCP安全控制 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
📖 中文文档
MCP安全控制 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
- 通过标准 MCP 协议与 Claude、Cursor 等主流 AI 客户端深度集成
- 提供结构化工具调用接口,显著降低 AI 集成复杂度
- 支持 Claude Desktop 和 Claude Code 无缝接入,开箱即用
- 可与其他 MCP 工具组合叠加,构建完整 AI 工作站
- 轻量无侵入设计,不影响现有系统架构
- 在 Claude Desktop 对话中直接调用本地工具,实现 AI 与系统的深度联动
- 通过自然语言驱动复杂的多步骤自动化任务,代替繁琐手动操作
- 将多个 MCP 工具组合使用,构建个人专属 AI 工作站
# 方式一:通过 Claude Code CLI 一键安装
claude skill install https://github.com/paolovella/vellaveto
# 方式二:手动配置 claude_desktop_config.json
{
"mcpServers": {
"mcp----": {
"command": "npx",
"args": ["-y", "vellaveto"]
}
}
}
# 配置文件位置
# macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
# Windows: %APPDATA%/Claude/claude_desktop_config.json
- 确认已安装 Node.js(v18 或以上版本)
- 打开 Claude Desktop 或 Claude Code 的 MCP 配置文件
- 按「交给 Agent 安装 → Claude Desktop」标签中的 JSON 配置填入 mcpServers 字段
- 保存配置文件并重启 Claude 客户端
- 重启后,在对话中即可使用本工具
# 安装后在 Claude 对话中直接使用 # 示例: 用户: 请帮我用 MCP安全控制 执行以下任务... Claude: [自动调用 MCP安全控制 MCP 工具处理请求] # 查看可用工具列表 # 在 Claude 中输入:"列出所有可用的 MCP 工具"
// claude_desktop_config.json 配置示例
{
"mcpServers": {
"mcp____": {
"command": "npx",
"args": ["-y", "vellaveto"],
"env": {
// "API_KEY": "your-api-key-here"
}
}
}
}
// 保存后重启 Claude Desktop 生效
简介
---
VellaVeto is an agent interaction firewall — the runtime boundary where AI agents interact with tools, services, and users. Every side-effecting decision crosses this boundary: tool calls are evaluated against policy, irreversible actions require bound approvals, sessions are isolated by design, and every verdict is recorded in a tamper-evident audit trail with a structured ACIS decision envelope. Deploy it as a stdio proxy, HTTP gateway, or consumer-side privacy shield.
Boundary Capabilities
| What It Enforces | Docs | |
|---|---|---|
| **Policy Engine** | Glob/regex/domain matching, parameter constraints, time windows, call limits, per-tool quotas, secret substitution, declarative policy templates, action sequences, Cedar-style ABAC, Wasm plugins. Pre-compiled patterns, <5ms P99, decision cache. | [Policy](docs/POLICY.md) |
| **Threat Detection** | 30+ detection layers: injection (Aho-Corasick + NFKC + obfuscation decode), tool squatting, rug pulls, schema poisoning, DLP, memory poisoning, multi-agent collusion, semantic output contracts, contagion controls, jailbreak patterns, token leakage, system prompt leak, browser agent attacks, output anomalies, denial-of-wallet, cascade failures, exfiltration path analysis, server fingerprint drift, goal drift, A2A integrity, NHI overpermission, agent baseline, prompt template injection, ETDI, MINJA, and containment-aware audit context. Maps to [OWASP Agentic Top 10](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/). | [Threat Model](docs/THREAT_MODEL.md) |
| **Channel Separation** | Source-class auto-tainting (untrusted tool responses taint session regardless of detection), intent scope declarations (constrain tools/sinks per session with auto-narrowing on taint), behavioral sequence analysis (5 deterministic detectors for read→exfil, privilege escalation, tool diversity spikes, novel tools, action clustering). Three composing layers for detection-independent defense. | [Channel Separation](docs/CHANNEL_SEPARATION.md) |
| **Identity & Access** | OAuth 2.1/JWT, OIDC/SAML, RBAC (4 roles, 14 perms), ABAC with forbid-overrides, capability delegation, DPoP (RFC 9449), non-human identity lifecycle. | [IAM](docs/IAM.md) |
| **Approval Gates** | Bound, replay-safe, single-use approvals with session + fingerprint binding. Irreversible actions classified and gated. Human-readable fact summaries, lineage drift invalidation, structured containment context, trust/taint summaries, and risk scores preserved through pending, approve, and deny flows. | [Security Model](docs/SECURITY_MODEL.md) |
| **Discovery** | Auto-discover MCP servers, tools, resources via topology graph. Detect drift, tool shadowing, namespace collisions. Topology guard as pre-policy filter. | [Architecture](#architecture) |
| **Audit & Compliance** | Tamper-evident logs (SHA-256 + Merkle + Ed25519), ACIS decision envelopes, ZK proofs (Pedersen + Groth16), OTel-compatible span export, Annex IV documentation generator, Article 73 incident reports with cross-regulation deadlines, FRIA data export, evidence packs for 12 frameworks. | [Compliance](docs/COMPLIANCE.md) |
| **Session Isolation** | Per-session credential rotation, context window isolation, stylometric normalization, traffic padding. Cross-session correlation is structurally prevented while users maintain full workflow continuity — context stays coherent and safe across sessions via deterministic action fingerprinting without leaking session boundaries. | [Consumer Shield](examples/presets/consumer-shield.toml) |
| **Consumer Shield** | User-side PII sanitization, encrypted local audit (XChaCha20-Poly1305), credential vault, warrant canary. All boundary enforcement running client-side. | [Consumer Shield](examples/presets/consumer-shield.toml) |
| **Deployment** | 6 modes: HTTP, stdio, WebSocket, gRPC, gateway, consumer shield. K8s operator (3 CRDs), Helm chart, Terraform provider, VS Code extension. | [Deployment](docs/DEPLOYMENT.md) |
Vault — deny-by-default, safe reads allowed, writes require approval
vellaveto-proxy --protect vault -- ./my-server ```
| Level | Default | What it blocks | For whom |
|---|---|---|---|
shield | Allow | Credentials, SANDWORM (AI config injection), exfil domains, git hooks, system files, dangerous commands, injection, DLP | Anyone — just works |
fortress | Allow | Shield + package config tampering, privilege escalation approval, memory poisoning detection, shadow agent detection | Developers who want more |
vault | **Deny** | Everything not explicitly allowed; source reads + git reads allowed, writes require approval | Maximum security |
<p align="center"> <img src="docs/shield-demo.gif" alt="VellaVeto Shield demo — blocking credential theft, data exfiltration, SANDWORM config injection, and prompt injection while allowing safe operations" width="880"> </p>
Fuzz (requires nightly)
cd fuzz && cargo +nightly fuzz run fuzz_json_rpc_framing -- -max_total_time=60 ```
See CONTRIBUTING.md for development rules and commit format.
Install (pick one):
cargo install vellaveto-proxy # From source (~2 min)
Setup Wizard
npx create-vellavetoHTTP Reverse Proxy (deployed MCP servers)
cargo install vellaveto-http-proxy
VELLAVETO_API_KEY=$(openssl rand -hex 32) vellaveto-http-proxy \
--upstream http://localhost:8000/mcp \
--config policy.toml \
--listen 127.0.0.1:3001Docker
docker pull ghcr.io/paolovella/vellaveto:latest
docker run -p 3000:3000 \
-v /path/to/config.toml:/etc/vellaveto/config.toml:ro \
ghcr.io/paolovella/vellaveto:latestDeployment Modes
| Mode | Command | Use Case |
|---|---|---|
| HTTP API Server | vellaveto serve | Dashboard, REST API, policy management |
| MCP Stdio Proxy | vellaveto-proxy | Claude Desktop, local MCP servers |
| HTTP Reverse Proxy | vellaveto-http-proxy | Deployed MCP servers, SSE/Streamable HTTP |
| WebSocket Proxy | vellaveto-http-proxy | Bidirectional MCP-over-WS at /mcp/ws |
| gRPC Proxy | vellaveto-http-proxy --grpc | High-throughput, protobuf-native (feature-gated) |
| Consumer Shield | vellaveto-shield | User-side PII protection |
| Desktop App | vellaveto-desktop | One-click protection for Claude/Cursor/Windsurf/VS Code |
See docs/DEPLOYMENT.md for configuration details.
Getting Started
| Document | Description |
|---|---|
| [Quick Start](docs/QUICKSTART.md) | Framework integration guides (Anthropic, OpenAI, LangChain, LangGraph, MCP) |
| [15-Minute Secure Start](docs/SECURE_QUICKSTART_15_MIN.md) | End-to-end deny-by-default walkthrough with audit verification |
| [Policy Configuration](docs/POLICY.md) | Policy syntax, operators, presets, elicitation, sampling, DLP, tool quotas, secret substitution |
| [CLI Reference](docs/CLI.md) | All binaries and commands |
| [Environment Variables](docs/ENV.md) | Configuration via environment |
Build
cargo build --release
Quick Start
Fortress — shield + system files, package configs, sudo approval, memory tracking
vellaveto-proxy --protect fortress -- python -m mcp_server
Custom Config
vellaveto-proxy --config policy.toml -- /path/to/mcp-serverSDKs
| SDK | Path | Tests |
|---|---|---|
| Python (sync + async, LangChain, LangGraph, CrewAI, Google ADK, OpenAI Agents, Composio, Claude Agent, Strands, MS Agents) | [sdk/python/](sdk/python/) | 484 |
| TypeScript | [sdk/typescript/](sdk/typescript/) | 122 |
| Go | [sdk/go/](sdk/go/) | 129 |
| Java | [sdk/java/](sdk/java/) | 120 |
References
Use with VS Code (Copilot / Cline / Roo Code)
Add to your VS Code settings.json:
{
"mcp": {
"servers": {
"filesystem": {
"command": "vellaveto-proxy",
"args": [
"--protect", "fortress",
"--", "npx", "-y",
"@modelcontextprotocol/server-filesystem", "."
]
}
}
}
}See docs/QUICKSTART.md for more providers (Zed, JetBrains, Amazon Q, Continue) and SDK integration guides (Anthropic, OpenAI, LangChain, LangGraph, CrewAI).
How It Compares
| **VellaVeto** | **AgentGateway** | **MCP-Scan (Snyk)** | **Lasso Gateway** | |
|---|---|---|---|---|
| **Language** | Rust | Rust | Python | Python |
| **Backing** | Independent | Linux Foundation / Solo.io | Snyk (acquired Invariant Labs) | Lasso Security (~$28M raised) |
| **Stars** | New | ~1,800 | ~1,700 | ~349 |
| **Primary role** | Agent interaction firewall (runtime boundary) | Connectivity proxy / gateway | Scanner + monitor | Security gateway (plugin-based) |
| **Evaluation latency** | <5ms P99 | Not published | N/A (scan-time) | Not published |
| **Policy engine** | Glob/regex/domain, ABAC, Cedar, Wasm plugins, time windows, call sequences | OPA / OpenFGA / CEL | Guardrailing policies | Plugin-based guardrails |
| **Injection detection** | 20+ layers (Aho-Corasick, NFKC, ROT13, base64, math symbols, leetspeak, emoji smuggling, FlipAttack, memory poisoning, schema poisoning, ...) | AI Prompt Guard (LLM-based) | Tool description scanning + LLM judges | Guardrail plugins |
| **DLP** | 5-layer decode + credential patterns | PII pattern masking | Secrets scanning | Presidio plugin |
| **Transport coverage** | HTTP, WebSocket, gRPC, stdio, SSE (verified parity) | MCP + A2A | MCP (stdio + proxy) | MCP (stdio, SSE) |
| **Audit trail** | SHA-256 chain + Merkle + Ed25519 + ZK proofs + PostgreSQL | Observability hooks | Logging | Logging |
| **Compliance** | 12 frameworks (EU AI Act, SOC 2, DORA, NIS2, ...) | None | None | None |
| **Formal verification** | TLA+, Lean 4, Coq, Alloy, Kani, Verus | None | None | None |
| **Channel separation** | Source-class tainting, intent scope, behavioral sequence analysis | None | None | None |
| **Consumer privacy** | PII sanitization, session isolation, credential vault, stylometric resistance | None | None | PII scanning (Presidio) |
| **Enterprise IAM** | OIDC, SAML, RBAC, SCIM, DPoP | None | None | None |
| **Response attestation** | HMAC-SHA256 content-bound scan results | None | None | None |
| **MCPSEC score** | 100/100 (Tier 5, reference run) | Not tested | Not applicable | Not tested |
| **Ease of setup** | --protect shield (one flag) / Docker / Helm | Docker / binary | pip install | pip install |
| **License** | MPL-2.0 / Apache-2.0 / BUSL-1.1 | Apache-2.0 | Apache-2.0 | MIT |
Trade-offs: AgentGateway and MCP-Scan have strong institutional backing (Linux Foundation, Snyk) and larger communities. AgentGateway excels as a connectivity and observability layer with external policy engine integration (OPA, OpenFGA); MCP-Scan excels at scanning MCP server configurations and now includes a runtime proxy mode. Both have solid security features. Lasso Gateway and PipeLock (Go, single binary) are closer in scope but lighter on depth. VellaVeto differentiates as a runtime boundary enforcer: integrated policy evaluation (<5ms P99), structured ACIS decision envelopes on every verdict, multi-transport parity, session isolation as a product invariant, compliance evidence, and formal verification of boundary properties. The table above is our honest best-effort comparison — we encourage you to evaluate each tool against your own requirements.
VellaVeto 是一款专为 AI Agent 设计的交互防火墙(Agent Interaction Firewall),旨在为智能体与外部环境的交互提供安全边界。通过在 Agent 与工具或数据之间构建防护层,它能够有效防止未经授权的操作,确保 AI 在执行任务时的安全性与可控性。
VellaVeto 提供强大的边界防护能力。其 Policy Engine 支持基于 Glob、Regex、域名匹配及参数约束的精细化策略控制,并集成 Cedar 风格的 ABAC 权限模型与 Wasm 插件扩展;Threat Detection 层包含 30 多层检测机制,可识别注入攻击等威胁;此外,系统具备极高的性能,决策延迟 P99 小于 5ms。
使用 VellaVeto 需要关注其安全模式的权限级别。系统内置了针对 Vault(敏感数据)和 Fortress(系统文件/配置)的保护机制。在 Vault 模式下,默认采取 deny-by-default 策略,仅允许安全的读取操作,而写入操作则需经过严格授权。开发者需根据应用场景选择合适的保护等级。
您可以根据开发环境选择多种安装方式:通过 Cargo 从源码安装 `vellaveto-proxy`;使用 `npx create-vellaveto` 启动交互式设置向导;或者针对部署 MCP servers 的场景,安装 `vellaveto-http-proxy` 并配置 API Key 进行 HTTP 反向代理部署。
项目提供了快速启动指南,帮助开发者通过简单的命令行指令快速部署防护代理。无论是通过 `vellaveto-proxy` 保护本地 Python MCP server,还是通过 HTTP Proxy 代理远程服务,开发者都可以通过预设的命令快速构建起安全隔离层。
VellaVeto 支持高度自定义的配置管理。开发者可以通过 `policy.toml` 文件定义详细的访问策略,实现对特定工具、参数或时间窗口的精细化管控。对于复杂的生产环境,可以通过 `--config` 参数指定自定义配置文件,实现对 MCP server 的安全加固。
VellaVeto 提供了完善的多语言 SDK 支持,覆盖了主流的 AI 开发生态。包括支持同步/异步及 LangChain、LangGraph、CrewAI、Claude Agent、OpenAI Agents 等框架的 Python SDK,以及 TypeScript、Go 和 Java SDK,方便开发者在不同技术栈中快速集成安全能力。
高质量的MCP安全控制工具
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 构建多智能体协作系统的 Agent 开发者
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- 生产部署优先使用 Docker Compose 隔离依赖,并挂载 volume 持久化数据
- Agent 任务先做 dry-run 验证工具调用链,再开启自主执行
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- 容器内无法访问宿主机 localhost — 使用 host.docker.internal
- Docker:vellaveto 提供官方镜像,docker compose up 一键启动
- CLI:直接 npm install -g / pip install,命令行调用
- 云端托管:可放在 Vercel / Railway / Fly.io 等 PaaS 平台
⚡ 核心功能
- 通过标准 MCP 协议与 Claude、Cursor 等主流 AI 客户端深度集成
- 提供结构化工具调用接口,显著降低 AI 集成复杂度
- 支持 Claude Desktop 和 Claude Code 无缝接入,开箱即用
- 可与其他 MCP 工具组合叠加,构建完整 AI 工作站
- 轻量无侵入设计,不影响现有系统架构
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 构建多智能体协作系统的 Agent 开发者
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- 生产部署优先使用 Docker Compose 隔离依赖,并挂载 volume 持久化数据
- Agent 任务先做 dry-run 验证工具调用链,再开启自主执行
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- 容器内无法访问宿主机 localhost — 使用 host.docker.internal
👥 适合人群
🎯 使用场景
- 在 Claude Desktop 对话中直接调用本地工具,实现 AI 与系统的深度联动
- 通过自然语言驱动复杂的多步骤自动化任务,代替繁琐手动操作
- 将多个 MCP 工具组合使用,构建个人专属 AI 工作站
⚖️ 优点与不足
- +标准化 MCP 协议,生态互联性强
- +与 Claude 官方生态无缝对接
- +即插即用,配置简单快捷
- −依赖 Claude 客户端,非 Claude 用户无法使用
- −MCP 协议仍在持续演进,接口可能变更
- −需要一定的配置步骤
该工具使用 NOASSERTION 协议,商用场景请仔细阅读协议条款,必要时咨询法律意见。
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
📄 NOASSERTION — 请查阅原始协议条款了解具体使用限制。
❓ 常见问题 FAQ
经综合评估,MCP安全控制 在MCP工具赛道中表现稳健,质量良好。如果你已有明确的使用需求,可以直接上手体验;如果还在评估阶段,建议对比同类工具后再做决策。
| 原始名称 | vellaveto |
| 原始描述 | 开源MCP工具:Agentic security control plane for MCP and AI agent tool calls. MCP-native polic。⭐6 · Rust |
| Topics | mcpai安全审计日志 |
| GitHub | https://github.com/paolovella/vellaveto |
| License | NOASSERTION |
| 语言 | Rust |
收录时间:2026-05-27 · 更新时间:2026-05-30 · License:NOASSERTION · AI Skill Hub 不对第三方内容的准确性作法律背书。