AEGIS MCP Tools is designed to address the "Supply Chain Risk" identified in OpenClaw deployments. Every tool in this repository undergoes rigorous security review.

1. Fail-Safe Defaults: All permissions denied unless explicitly granted
2. Least Privilege: Tools request minimum necessary permissions
3. Defense in Depth: Multiple layers of security controls
4. Audit Everything: Immutable logging of all operations
5. Assume Breach: Design for containment and recovery

┌─────────────────────────────────────────┐
│ AEGIS Orchestrator │
│ (Trusted Runtime) │
└──────────────┬──────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ MCP Tool (This Repository) │
│ (Sandboxed Execution) │
│ • Input validation │
│ • Resource limits │
│ • Permission enforcement │
└──────────────┬──────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ External Services / Filesystem │
│ (Untrusted) │
└─────────────────────────────────────────┘

1. Malicious Input: Agent sends crafted input to exploit tool
2. Resource Exhaustion: Tool consumes excessive CPU/memory
3. Data Exfiltration: Tool attempts to access unauthorized data
4. Privilege Escalation: Tool bypasses permission boundaries
5. Supply Chain Attack: Malicious dependency introduced

All tools must validate inputs:

from aegis_mcp_tools.validators import validate_path, validate_url

def read_file(path: str):
    # Validate and sanitize
    safe_path = validate_path(path, allowed_dirs=["/data"])

    # Enforce chroot
    if not safe_path.startswith("/data"):
        raise SecurityError("Path outside allowed directory")

    # Check file size
    if os.path.getsize(safe_path) > MAX_FILE_SIZE:
        raise SecurityError("File too large")

Every tool has hard limits:

resources:
  max_memory: "256MB" # Hard limit
  max_cpu: "0.5" # CPU shares
  timeout: "30s" # Max execution time
  max_network: "10MB/s" # Bandwidth cap

Network and filesystem access controlled:

permissions:
  filesystem:
    read: ["/data/inputs"]
    write: ["/data/outputs"]
    deny: ["/etc", "/root", "/home"]
  network:
    allow: ["api.example.com"]
    deny: ["*"]

All operations logged immutably:

@audit_log
def execute(self, params):
    # Automatically logs:
    # - Timestamp
    # - Tool name
    # - Parameters (sanitized)
    # - Result summary
    # - Resource usage
    pass

Never log or expose secrets:

# ✅ Correct
api_key = os.environ.get("API_KEY")
logger.info("Making API call", url=url)  # Don't log key

# ❌ Wrong
logger.info(f"Using key: {api_key}")

DO NOT open a public issue for security vulnerabilities.

1. Email: security@100monkeys.ai (PGP key below)
2. Subject: [SECURITY] Brief description
3. Include:
   • Tool name and version
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• 24 hours: Acknowledgment of report
• 72 hours: Initial assessment
• 7 days: Patch development
• 14 days: Public disclosure (coordinated)

We follow coordinated disclosure:

1. Vulnerability reported privately
2. Patch developed and tested
3. Security advisory published
4. Public disclosure with credit

Current security reviewers:

• @security-team (Primary contact)

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP key for security@100monkeys.ai]
-----END PGP PUBLIC KEY BLOCK-----

We recognize and reward security researchers:

• Critical: $1,000 - $5,000
• High: $500 - $1,000
• Medium: $100 - $500
• Low: Recognition in SECURITY.md

• Remote code execution
• Privilege escalation
• Data exfiltration
• Authentication bypass
• Resource exhaustion

• Social engineering
• Physical attacks
• DoS requiring >10K requests/second
• Issues in dependencies (report upstream)

For contributors adding new tools:

• All inputs validated with strict schemas
• Path traversal prevented
• SQL injection prevented (if applicable)
• Command injection prevented
• XXE attacks prevented (XML parsing)

• TLS/SSL required for all connections
• Certificate validation enforced
• Allowlist configured (no wildcards)
• Timeouts configured
• Rate limiting implemented

• Chroot jail or equivalent
• Symlink attacks prevented
• File size limits enforced
• Sensitive paths blacklisted

• Memory limits enforced
• CPU limits enforced
• Execution timeout configured
• Connection pooling with limits

• Errors don't leak paths
• Errors don't leak credentials
• Stack traces sanitized
• Generic error messages to users

• All operations logged
• Secrets redacted
• Structured logging used
• Log injection prevented

Subscribe to security advisories:

• GitHub: Watch this repo for security alerts
• Email: Subscribe at security@100monkeys.ai

This project follows:

• OWASP Top 10 mitigation strategies
• CWE Top 25 prevention guidelines
• NIST Cybersecurity Framework principles

We thank the following researchers for responsible disclosure:

• [Coming soon - report vulnerabilities to be listed here]

Last Updated: 2026-02-01 Next Review: 2026-05-01