## **PoC** [Hyper-MCP](https://github.com/tuananh/hyper-mcp) is an example of a secure MCP server that extends its capabilities through WebAssembly plugins, by [tuananh](https://github.com/tuananh). Each plugin runs in its own wasm vm. By default, they have no filesystem access, no network access. https://mcp.run is a vendor leveraging the WASM architecture too. ## **Details** Developed in response to research such as [tool poisoning attack](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks) Pretty good example of how to lock down MCPs: - Sandboxed plugins that can't access your system without permission - Memory-safe execution with resource limits - Secure plugin distribution through container registries - Fine-grained access control for host functions - by default, no filesystem access, no network access, etc. - OCI plugin images are signed at publish time and verified at load time with sigstore. Other considerations (outside the scope of this project) of MCPs include utilizing your prompt injection protection layers/technologies, and authentication & authorization. Agents will need service accounts and relate claims to be effective, i.e what defines what an agent can access inside of another agent during task execution? There has been writing to suggest that OAuth is acceptable for this using custom claims, but that is assuming that the related claims and agents understand when you use them vs the claims passed to it from a human or secondary agent interacting with it.