Stop promptinjection in MCP.
100% detection rate on our 80-attack public eval (95.5%+ lower bound at 95% confidence). 0.0% false positive rate on 100 benign documents.
Drop-in proxy — zero config change to your agent or MCP server.
why vault
Built for MCP, not LLM I/O
Other tools scan LLM outputs. Vault scans MCP — the layer every modern agent runs through. It sits between your agent and any MCP server, intercepting every tool response before the agent reads it.
LLM-grade detection at MCP scale
L0 deterministic decoding + L1 heuristics + L2 embeddings cost-gate the LLM judge so detection stays affordable per request. Use Anthropic, OpenAI, or run fully offline with Ollama.
Our eval is public
The 80-attack holdout, the 100-document benign set, the limitations, even the postmortem from when we caught our own eval contamination — all published. The numbers above came from a holdout we do not tune against.
new · agentic trading
When your agent trades, guard the action, not just the text.
Robinhood Chain shipped agent-executed trading. An agent that trades reads attacker-influenceable tool output — one poisoned quote can reroute a swap. Vault adds a second line of defense that guards the trade itself.
The attack surface
A trading agent decides by reading tool responses — token metadata, price quotes, routing notes. Every one of those is attacker-influenceable, and a hidden instruction can redirect a swap to an attacker or trigger an unlimited approval, inside a flow the user authorized.
Two layers, not one
Vault scans every tool response for injection before the agent reads it — and then guards the action itself: recipient allowlist, unlimited-approval blocking, and taint (a recipient the agent only learned from a tool response is blocked). The action guard holds even when a novel injection slips past the scanner.
One flag to enable
The trade guard is off by default and chain-agnostic — it protects the agent, not the chain. Turn it on with a single environment variable, in block or warn mode, with your own recipient allowlist.
what we publish
Every claim on this page is backed by a public artifact.
We caught a methodology contamination event during development. Reverted, documented, shipped honest numbers. The postmortem is public.
try it
recent attacks blocked
no recent events- no recent attacks to display
install
# wrap any stdio MCP server npx @aimcpvault/mcp-proxy@next -- npx -y @modelcontextprotocol/server-filesystem /path # or proxy a remote MCP server npx @aimcpvault/mcp-proxy@next --transport http --upstream https://mcp.example.com/v1 --port 8800