# agentguard MCP server

AgentGuard — 20-tool AI safety MCP: policy preflight, risk scoring, audit logging, rate limits.

## Links
- Registry page: https://www.getdrio.com/mcp/io-tooloracle-agentguard
- Repository: https://github.com/ToolOracle/agentguard

## Install
- Endpoint: https://feedoracle.io/guard-oracle/mcp/
- Auth: Not captured

## Setup notes
- Remote endpoint: https://feedoracle.io/guard-oracle/mcp/

## Tools
- policy_preflight - Pre-flight security check before any tool call. Evaluates all policies, computes risk score, checks rate limits, and returns allow/deny/require_approval decision. Call this BEFORE executing any agent tool. Writes to audit log automatically. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- tool_risk_score - Compute 0-100 risk score for any tool + input combination. 0=minimal risk (read-only), 100=critical (payment/irreversible). Detects secrets, injection attempts, high-value amounts. Use before deciding whether to proceed with a tool call. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- approval_required - Check if a tool call requires human approval before execution. Returns requires_approval=true/false with matched policy list. Set register_pending=true to create a trackable approval request with an approval_url for human review. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- audit_log_write - Write a tool call result to the persistent, signed audit log. Call this AFTER tool execution with the outcome. Each entry is cryptographically signed for tamper-evidence. Essential for compliance, DORA, MiCA audit trail requirements. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- audit_log_query - Query the persistent audit trail. Filter by agent, tool, decision, time range. Returns signed entries with tamper-detection. Use for compliance reporting, anomaly detection, or agent behaviour analysis. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- decision_explain - Get a human-readable explanation of why a tool call was allowed or denied. Pass request_id from a previous policy_preflight for stored explanation, or provide tool_name + tool_args for fresh analysis. Explains matched policies, risk score breakdown, and recommendation. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- rate_limit_check - Check if an agent has exceeded rate limits. Returns per-window usage (minute/hour/day) with percentage used. Limits: 200/min, 5000/hr, 50000/day per agent. Use before high-frequency tool calls or for agent health monitoring. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- payment_policy_check - Validate a payment against policy rules before execution. Checks amount limits (>100k warns, >1M blocks), recipient allowlist/denylist, supported currencies/networks, AML reporting thresholds, and MiCA flags. Returns approved/rejected with full violation list and risk score. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- spend_limit_check - Check if a payment amount stays within agent spend limits. Default limits: 10,000/call, 50,000/hr, 200,000/day. Trusted agents: 100,000/call, 500,000/hr, 2,000,000/day. Returns within_limits=true/false with headroom percentage. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- secret_exposure_check - Deep scan any text/payload for secrets, credentials, and PII. Detects: API keys (OpenAI, GitHub, AWS), tokens (Slack, Bearer), private keys (ETH, Bitcoin), credentials (passwords, secrets), and PII (emails, credit cards, SSNs). Returns findings with severity and remediation guidance. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- payload_safety_check - Comprehensive safety scan for injection attacks and dangerous patterns. Detects: prompt injection, jailbreak/DAN attempts, role hijacking, SQL injection (UNION/DROP/OR 1=1), XSS, Python/JS/Shell code injection, path traversal, oversized payloads, null bytes. Returns safe=true/false with finding list and block/allow decision. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- replay_guard_check - Detect replay attacks — identical requests sent multiple times in a time window. Uses SHA256 fingerprint of (agent_id + tool_name + args). Default window: 300 seconds (5 min). Returns is_replay=true/false with duplicate count and first/last seen timestamps. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- cross_tool_anomaly_check - Detect anomalous tool usage patterns across an agent recent history. Checks risky tool combinations (AML-then-payment, wallet-recon-then-transfer), high call frequency, repeated denials, broad reconnaissance, elevated risk scores. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- scope_check - Check if agent has required scope for a tool. Roles: admin, compliance_officer, trader, auditor, developer, readonly. Returns has_scope + missing scope + granting roles. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- session_validate - Create/validate/invalidate agent sessions with role, scopes, TTL and call budget. Actions: create|validate|invalidate|info. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- tenant_policy_check - Multi-tenant governance. Tenants: default, fintech_eu (MiCA/DORA), defi_protocol, enterprise_read. Checks tool blocklists, max risk scores, spend limits. Actions: check|list. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- threat_intel_check - Check entity against threat intelligence. Auto-detects ETH addresses, IPs, domains. Checks sanctions (Tornado Cash), disposable services, behavioral analysis from audit log. Returns threat_level: none|low|medium|high|critical. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- output_safety_scan - Post-execution output scanner. Checks tool output for PII leaks (email, phone, SSN, IBAN), secret exposure, data exfiltration patterns (outbound URLs, base64), and tool poisoning (injected instructions). Verdict: clean|warn|flag|block. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- emergency_kill - Emergency kill-switch. Immediately terminates agent session(s), revokes pending approvals, blocks rate limits, and audit-logs the emergency. Use for: compromised agents, runaway automation, suspicious behavior. kill_type: full|session_only|soft. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- tool_manifest_verify - Supply-chain verification for MCP tools. Checks publisher identity against allowlist, scans tool descriptions for prompt injection, validates server domain and signing capability. Verdict: trusted|caution|block. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- approval_resolve - Resolve a pending approval request. Approve or deny a tool call that was flagged for human review. Updates agent state and creates audit trail. Requires authentication. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- approval_list - List approval requests. Filter by status (pending/approved/denied/all), agent_id, or tool_name. Shows summary stats. Endpoint: https://feedoracle.io/guard-oracle/mcp/
- policy_register - View the central policy registry. Query tiers (T1-T4), tool classifications, escalation rules. Actions: summary (default), lookup (by tool_name), tiers, rules, tools (by tier_id). Endpoint: https://feedoracle.io/guard-oracle/mcp/
- guard_metrics - AgentGuard operational metrics. Returns decision stats, top agents/tools, risk distribution, daily activity, approval stats, and tier distribution. Endpoint: https://feedoracle.io/guard-oracle/mcp/

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: io.tooloracle
- Version: 1.0.0
- Runtime: Streamable Http
- Transports: HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 7, 2026
- Source: https://registry.modelcontextprotocol.io