MCP-Security-Proxy

The MCP Bridge (security proxy) is exceptionally well-designed for its purpose, incorporating multiple layers of defense: a rule-based detector for known attacks, a statistical anomaly detector, a semantic (DistilBERT) prototypical learning detector, and an optional MAML-based few-shot adaptation detector, all within a weighted ensemble that defaults to 'ATTACK' in ambiguous cases. Network isolation is enforced through internal Docker networks for tools, preventing direct external access. Input validation is performed using Pydantic, and ReDoS protection is present in regex-based rules. The primary security risk lies in the intentionally vulnerable 'MCP Tools' services (e.g., filesystem, fetch, sqlite) when their 'SAFE_MODE' flags are set to 'false' (which is the default in the provided `docker-compose.yml` for testing purposes). This design is a feature for vulnerability testing, not a flaw in the proxy's defensive capabilities. A minor theoretical risk is the `torch.load(..., weights_only=False)` call for model loading, which could allow arbitrary code execution if the model files themselves were compromised by an attacker, though in a research context generating its own models, this is standard. The LLM proxy endpoint ( `/v1/chat/completions`) performs basic forwarding without explicit security checks in the provided code, but it is configured to use internal LLM services by default.