Security at the gateway

Your agent's tools are a trust boundary. Toolport guards it.

Every MCP call your agent makes flows through one local gateway. That puts Toolport on the path to watch the whole tool-trust boundary, both the tool definitions coming in and the results going back, and to flag the attacks that target agents specifically.

Tool poisoning / line jumping

Hidden instructions smuggled into a tool's description or schema, which the agent reads and may act on before it ever calls the tool.

ToolportToolport scans every tool definition for injection signatures (instruction-override, stealth directives, embedded commands, hidden Unicode) when a server first connects and whenever a definition changes, and flags it in Activity.

Rug pull

A tool you already reviewed and approved is silently swapped for a malicious version later, after it has earned your trust.

ToolportToolport fingerprints every tool on connect and flags any later change to an approved tool's definition, or a new tool a known server quietly adds. The classic rug-pull signature, caught before you trust it again.

Agentjacking (indirect prompt injection)

Untrusted content returned by a tool (a Sentry error, a GitHub issue body, a web page, a DB row) carries instructions the agent follows as if they were yours.

ToolportToolport scans tool results and wraps any flagged content with a provenance marker telling the agent it's external data, not instructions, before the agent sees it. Information-preserving, only flagged results are touched.

Plaintext secrets

API keys and tokens sitting in client config files in the clear, readable by any process or backup on the machine.

ToolportToolport holds secrets in the OS keychain and injects them at runtime. Your client config only ever says “talk to Toolport,” so keys never land in a client's JSON.

Over-permissioned agents

An agent reaches a delete, drop, or write tool you never meant to expose, and every step is technically authorized.

ToolportOne switch hides and blocks every tool a server annotates as destructive, across every connected server at once. Per-tool deny too. Agent control is opt-in and can never flip this safety switch.

No audit trail

You can't see what your agent actually did across all those tools, so you can't review, prove, or govern it.

ToolportEvery tool call flows through the gateway and is recorded, with per-server latency and error rates. The kind of “agent ingested external content, then tried to run X” trail an EDR can't produce.

Why the gateway

The control point that already exists.

EDR and IAM can't see this. They watch processes and identities, but an agentjacking attack is a sequence of fully authorized steps. Toolport sits exactly where the tools do: it inspects each definition the moment a server connects, and each result the moment it returns, with no change to your client or your servers. That is genuinely unique to an in-path gateway, and it's why the safety controls live here next to the cost and governance ones.

Honest about scope

What this is, and what it isn't.

Cost, governance, and safety, all at one local gateway.

Free and open source. Up to 91% fewer tokens at the same task success, on by default, with the security controls above.