Security sidecar for MCP servers: prompt-injection scan, Ed25519 verify, tools/list drift. 10 tools.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-studiomeyer-armor": {
"args": [
"-y",
"@modelcontextprotocol/server-filesystem"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Part of the StudioMeyer MCP Stack — Built in Mallorca 🌴 · ⭐ if you use it
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@modelcontextprotocol/server-filesystem' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
@modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix
Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 2025.7.1 to resolve the issue. Thank you to Elad Beber (Cymulate) for reporting these issues.
>= 0source →@modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling
Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 2025.7.1 to resolve. Thank you to Elad Beber (Cymulate) for reporting these issues.
>= 0source →Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Compress tool outputs, logs, files, and RAG chunks before they reach the LLM. 60-95% fewer tokens, same answers. Library, proxy, MCP server.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
MCP Security Weekly
Get CVE alerts and security updates for io.studiomeyer/armor and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Part of the StudioMeyer MCP Stack — Built in Mallorca 🌴 · ⭐ if you use it
Drop-in Rust sidecar that wraps any MCP server. Scans tool calls for prompt injection, validates Ed25519 manifest signatures (with TOFU keystore + Sigstore Rekor bridge since v0.2), exports OTLP gRPC telemetry (on opentelemetry 0.30 since v0.4 — closes the shutdown-hang class), blocks marketplace-poisoning vectors, strips loader-class env keys from spawned children (LD_PRELOAD, NODE_OPTIONS, … — new in v0.3), folds Unicode confusables to detect homoglyph evasion (Cyrillic іgnоrе ≈ ignore — new in v0.3), strips ANSI/terminal escape sequences and flags tool-name homoglyph collisions on tools/call (both new in v0.7). Single signed binary, p99 budget under 5 ms (enforced in CI).
Anthropic has classified the underlying MCP-design issues (auto-invoke, marketplace tool-list trust, no manifest signing) as out-of-scope for the spec. mcp-armor implements the runtime defenses they declined to spec.
mcp-armor sits between an MCP client (Claude Desktop, Windsurf, Cursor) and an upstream server. JSON-RPC traffic flows through a four-stage scanner (Aho-Corasick prefilter → regex stage → NFKC + zero-width + Bidi + tag-unicode strip → re-scan → UTS-39 confusable skeleton fold → re-scan). Block decisions are recorded to an in-memory ring buffer, and the read-only control-plane MCP server surfaces the audit history back to the client. On wrap, loader-class env keys (LD_PRELOAD, NODE_OPTIONS, PYTHONPATH, …) are stripped from the child process before spawn().
Sister project: studiomeyer-io/ai-shield — TypeScript policy engine that mcp-armor's evasion patterns are ported from (Round 4 zero-width + tag-unicode work).
We have been building tools and systems for ourselves for the past two years. The fact that this repo is small and has few stars is not because it is new. It is because we only just decided to share what we have built. It is not a fresh experiment, it is a long story with a recent commit.
We love building things and sharing them. We do not love social media tactics, growth hacks, or chasing stars and followers. So this repo is small. The code is real, it gets used, issues get answered. Judge for yourself.
If it helps you, sharing, testing, and feedback help us. If it could be better, an issue is more useful. If you build something with it, tell us at hello@studiomeyer.io. That genuinely makes our day.
From a small studio in Palma de Mallorca.
Pre-built binaries (signed via cosign):
gh release download --repo studiomeyer-io/mcp-armor --pattern 'mcp-armor-*-x86_64-unknown-linux-musl.tar.gz'
tar xf mcp-armor-*-x86_64-unknown-linux-musl.tar.gz
sudo install mcp-armor /usr/local/bin/
Or from source:
# default: scanner + Ed25519 verify + TOFU keystore + bundle parser
cargo install mcp-armor
# with OTLP gRPC export
cargo install mcp-armor --features otlp
# with online Sigstore Rekor lookup
cargo install mcp-armor --features sigstore-bridge
# full surface (otlp + sigstore-bridge + rmcp-control)
cargo ins
... [View full README on GitHub](https://github.com/studiomeyer-io/mcp-armor#readme)