Home · AI Security Answers · Agent controls & hardening
How do I scope and restrict permissions for MCP tool servers an AI agent connects to?
To scope and restrict permissions for MCP tool servers, configure server entries in ~/.hermes/config.yaml to specify command execution, environment variables, and authentication headers, and implement tool allow/deny lists and sandboxing.
- Configure Command and Arguments (NIST AI RMF: Govern, OWASP LLM Top 10: LLM01: Prompt Injection): For
stdiotransport, explicitly define thecommandandargsthat the MCP server is allowed to execute, such asnpxwith specific packages orpython3with a designated script. This limits the server's operational scope to only necessary processes. - Manage Environment Variables (NIST AI RMF: Govern, OWASP LLM Top 10: LLM01: Prompt Injection): Use the
envfield in theconfig.yamlto provide only the essential environment variables to the subprocess, which are merged with a safe baseline environment. The_build_safe_envfunction filters dangerous environment variables. - Control Access with Authentication Headers (NIST AI RMF: Govern, OWASP LLM Top 10: LLM07: Insecure Plugin Design): For
HTTPtransport, specifyAuthorizationheaders with tokens (e.g.,Bearer ${REMOTE_API_KEY}) for remote API access. These tokens should be interpolated from.envfiles and managed securely, ideally using a secrets manager rather than environment variables. - Implement Tool Allow/Deny Lists (NIST AI RMF: Govern, OWASP LLM Top 10: LLM07: Insecure Plugin Design): The harness should support tool allow/deny lists to restrict which tools an agent can use, preventing unauthorized access or actions.
- Utilize Sandbox Configuration (NIST AI RMF: Protect, OWASP LLM Top 10: LLM07: Insecure Plugin Design): Isolate tool execution within a sandbox to prevent system damage, ensuring that even if a tool is compromised, its impact is contained.
- Sanitize Error Messages (NIST AI RMF: Protect, OWASP LLM Top 10: LLM06: Sensitive Information Disclosure): Implement credential stripping in error messages using functions like
_sanitize_error()to prevent sensitive information, such as API keys, from being exposed to the LLM or logs.
Grounded in
- Chapter 13: MCP Integration — Connecting Agents to the World (Claude Code vs. Hermes Agent)
- Claude Code Harness Pattern 10: Production Deployment Patterns
How does your AI agent score?
Get a free, instant AI agent security readiness snapshot — mapped to NIST, OWASP & ISO — then unlock the full report with a prioritized, cited fix-list.
This AI-generated answer is for guidance only — not a certification, audit, or penetration test. Grounded in the NIST AI RMF, OWASP LLM Top 10, and ISO/IEC 42001 control text; verify applicability to your environment.