Definition
Allowlisting only tool names ignores arguments, shell fragments, and nested payloads—where much of the real risk lives.
How it appears in MCP
tools/call carries a name plus a JSON object. A model or attacker can choose an allowed name while supplying paths, commands, or data exfiltration channels inside the payload.
Example pattern
“Safe” tools such as file writers or shell runners become dangerous when arguments include destructive paths, recursive deletes, or outbound URLs—patterns well documented in injection and command execution incident classes outside MCP, and equally applicable here.
What MCP Trail does on the Guardian path
MCP Trail Guardian goes beyond naming:
- Catalog policies for tools, resources, and prompts (open vs allowlisted discovery), so shadow surfaces do not run silently.
- Structural limits on JSON-RPC tool arguments (depth, string size, array length, keys) before expensive work.
- Destructive-shell and related heuristics where applicable.
- DLP on arguments and JSON tool results (monitor, block, redact) plus custom org rules.
- HITL for tools your policy marks as sensitive.
- Audit and protection metadata so teams see what was blocked or altered—when traffic flows through the gateway.
What still needs process
Threat modeling per tool, least-privilege upstream design, and red-teaming assistant prompts—not just gateway rules.