I’ve been building a lot of agents using Anthropic’s MCP (Model Context Protocol), but I realized I was essentially giving the LLM "God Mode" on my laptop. If I install the Docker MCP, the agent has root access. If I install the Filesystem MCP, it can read my ~/.ssh keys.
After reading about the "GeminiJack" vulnerability (where a malicious document tricks the AI into exfiltrating data), I realized we need a defense layer that sits outside the model.
I built AIP (Agent Identity Protocol) to solve this.
It’s a lightweight Proxy (Sidecar) that sits between your Cursor/Claude client and the MCP tool. It acts like a "Service Mesh" for agents.
Key Features:
1. Manifest-Driven Security: You define an `agent.yaml` that allow-lists specific tools (e.g., `git clone` is okay, `git push` is blocked).
2. Deep Packet Inspection: It parses the JSON-RPC traffic and uses Regex to validate arguments (e.g., allow `docker run alpine` but block `docker run -v /:/host`).
3. "Little Snitch" Mode: If an agent tries a high-risk action, it pops up a native OS window asking you to Approve/Deny.
4. DLP: It scans the tool's output and redacts secrets (API keys, PII) before sending the result back to the LLM.
It’s written in Go, works with any standard MCP client (Cursor, Claude Desktop), and is open source (Apache 2.0).
I’d love feedback on the protocol design—specifically how we handle the handshake between the proxy and the tool.
eduardoarangog•2w ago
After reading about the "GeminiJack" vulnerability (where a malicious document tricks the AI into exfiltrating data), I realized we need a defense layer that sits outside the model.
I built AIP (Agent Identity Protocol) to solve this.
It’s a lightweight Proxy (Sidecar) that sits between your Cursor/Claude client and the MCP tool. It acts like a "Service Mesh" for agents.
Key Features: 1. Manifest-Driven Security: You define an `agent.yaml` that allow-lists specific tools (e.g., `git clone` is okay, `git push` is blocked). 2. Deep Packet Inspection: It parses the JSON-RPC traffic and uses Regex to validate arguments (e.g., allow `docker run alpine` but block `docker run -v /:/host`). 3. "Little Snitch" Mode: If an agent tries a high-risk action, it pops up a native OS window asking you to Approve/Deny. 4. DLP: It scans the tool's output and redacts secrets (API keys, PII) before sending the result back to the LLM.
It’s written in Go, works with any standard MCP client (Cursor, Claude Desktop), and is open source (Apache 2.0).
I’d love feedback on the protocol design—specifically how we handle the handshake between the proxy and the tool.
Repo: https://github.com/ArangoGutierrez/agent-identity-protocol