New Robinhood Chain shipped agent-executed trading. Vault ships the guard for it.See how ↓
private beta · vaultmcp

Stop promptinjection in MCP.

100% detection rate on our 80-attack public eval (95.5%+ lower bound at 95% confidence). 0.0% false positive rate on 100 benign documents. Drop-in proxy — zero config change to your agent or MCP server.

terminal
$ npx @aimcpvault/mcp-proxy@next -- npx -y @modelcontextprotocol/server-filesystem /path
100% TPR · 95.5%+ CI0.0% FPR80 / 80 caughtL0 · L1 · L2 · L3

why vault

Built for MCP, not LLM I/O

Other tools scan LLM outputs. Vault scans MCP — the layer every modern agent runs through. It sits between your agent and any MCP server, intercepting every tool response before the agent reads it.

LLM-grade detection at MCP scale

L0 deterministic decoding + L1 heuristics + L2 embeddings cost-gate the LLM judge so detection stays affordable per request. Use Anthropic, OpenAI, or run fully offline with Ollama.

Our eval is public

The 80-attack holdout, the 100-document benign set, the limitations, even the postmortem from when we caught our own eval contamination — all published. The numbers above came from a holdout we do not tune against.

new · agentic trading

When your agent trades, guard the action, not just the text.

Robinhood Chain shipped agent-executed trading. An agent that trades reads attacker-influenceable tool output — one poisoned quote can reroute a swap. Vault adds a second line of defense that guards the trade itself.

The attack surface

A trading agent decides by reading tool responses — token metadata, price quotes, routing notes. Every one of those is attacker-influenceable, and a hidden instruction can redirect a swap to an attacker or trigger an unlimited approval, inside a flow the user authorized.

Two layers, not one

Vault scans every tool response for injection before the agent reads it — and then guards the action itself: recipient allowlist, unlimited-approval blocking, and taint (a recipient the agent only learned from a tool response is blocked). The action guard holds even when a novel injection slips past the scanner.

One flag to enable

The trade guard is off by default and chain-agnostic — it protects the agent, not the chain. Turn it on with a single environment variable, in block or warn mode, with your own recipient allowlist.

terminal
$ VAULT_TRADE_GUARD=1 VAULT_TRADE_ALLOWLIST=0xYourWallet
npx @aimcpvault/mcp-proxy@next -- <your trading MCP server>

what we publish

Every claim on this page is backed by a public artifact.

We caught a methodology contamination event during development. Reverted, documented, shipped honest numbers. The postmortem is public.

try it

68 chars
vault://scan
$ awaiting input…

recent attacks blocked

no recent events
  • no recent attacks to display

install

# wrap any stdio MCP server
npx @aimcpvault/mcp-proxy@next -- npx -y @modelcontextprotocol/server-filesystem /path

# or proxy a remote MCP server
npx @aimcpvault/mcp-proxy@next --transport http --upstream https://mcp.example.com/v1 --port 8800
open source · byo llm key · ollama supported · local-first