Invariant Guardrails / MCP-scan
Type: full-code · Vendor: Invariant Labs (acquired by Snyk) · Language: Python · License: Apache-2.0 · Status: active · Status in practice: emerging · First released: 2024
Invariant provides a security layer for AI agents that statically scans agent execution traces and MCP servers to detect threats such as prompt injection, tool poisoning, and data leaks.
Description. Invariant Guardrails and MCP-scan are agent security tools from Invariant Labs, an ETH Zurich spin-off acquired by Snyk in 2025. The analyzer applies information-flow analysis over an agent's execution traces, expressed as policy rules, to flag unsafe tool-call sequences and threats. MCP-scan inspects Model Context Protocol servers for risks such as tool poisoning and prompt injection embedded in tool descriptions.
Agent loop shape. Invariant runs as an out-of-band analysis layer rather than an agent loop: it ingests an agent's execution traces and MCP server definitions and runs static information-flow analysis over them, raising policy violations when unsafe flows or injected instructions are detected.
Primary use cases
- scanning agent execution traces for threats
- detecting prompt injection and tool poisoning in MCP servers
- enforcing data-flow and tool-sequence policies
- version-pinning untrusted MCP tools
Key concepts
- Guardrailing rules → policy-as-code-gate (docs) — Python-inspired matching rules that pattern-match over LLM messages and tool calls; when a trace matches a rule the engine raises and can block the offending LLM or MCP request.
- Analyzer → trajectory-anomaly-monitor (docs) — The information-flow analysis engine that scans an agent's execution traces to identify bugs such as looping behavior and threats such as data leaks, prompt injections, and unsafe code execution.
- MCP-scan → tool-output-poisoning (docs) — A tool that inspects Model Context Protocol servers for risks such as tool poisoning and prompt injection embedded in tool descriptions, and supports version-pinning untrusted tools.
- Detectors → prompt-injection-defense (docs) — A standard library of operations (such as prompt_injection and PII detectors) that guardrailing rules invoke to test message and tool-output content for threats.
Patterns this full-code implements —
- ·Trajectory Anomaly Monitor
A static-analysis scanning engine based on information-flow analysis runs over the agent's execution traces to flag bugs such as looping behavior and threats such as prompt injections and unsafe code…
- ★Policy-as-Code Gate
Guardrails are written as machine-readable, Python-inspired matching rules deployed between the application and its LLM or MCP servers; the engine evaluates the rules on each request and errors out t…
- ★Tool Output Poisoning Defense
Documents that MCP tool descriptions and output cannot be trusted and prescribes version pinning plus its Guardrails/MCP-scan tooling to constrain untrusted tool content.
- ★Prompt Injection Defense
Rules can call a built-in prompt_injection detector over tool output, so a guardrail can block a downstream tool call when injected instructions are detected in untrusted tool content.
Neighbourhood
Click any neighbour to follow the lineage. Scroll to zoom, drag to pan.
Alternatives & relatives
Listed as alternative by (3)
References
invariantlabs-ai/invariant
“Guardrailing rules are simple Python-inspired matching rules, that can be written to identify and prevent malicious agent behavior”
“A Tool Poisoning Attack occurs when malicious instructions are embedded within MCP tool descriptions that are invisible to users but visible to AI models.”
Provenance
- Last analyzed:
- Last updated:
- Verification status: partial