Metadata-Version: 2.4
Name: munio
Version: 0.1.0
Summary: AI agent security toolkit — scan MCP servers, guard tool calls
Project-URL: Homepage, https://munio.dev
Project-URL: Documentation, https://munio.dev
Project-URL: Repository, https://github.com/munio-dev/munio
Project-URL: Issues, https://github.com/munio-dev/munio/issues
Project-URL: Changelog, https://github.com/munio-dev/munio/blob/main/CHANGELOG.md
Author: Munio Security
License-Expression: Apache-2.0
License-File: LICENSE
Keywords: agent-security,ai-safety,crewai,formal-verification,guardrails,langchain,mcp,mcp-scanner,mcp-security,openclaw
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Typing :: Typed
Requires-Python: >=3.10
Requires-Dist: pydantic<3,>=2.6
Requires-Dist: pyyaml<7,>=6.0
Requires-Dist: rich<14,>=13
Requires-Dist: typer<1,>=0.12
Provides-Extra: all
Requires-Dist: crewai<3,>=1.5; extra == 'all'
Requires-Dist: fastapi<1,>=0.115; extra == 'all'
Requires-Dist: fastmcp<4,>=3.0; extra == 'all'
Requires-Dist: httpx<1,>=0.25; extra == 'all'
Requires-Dist: joblib<2,>=1.4; extra == 'all'
Requires-Dist: langchain-core<2,>=1.0; extra == 'all'
Requires-Dist: mcp<2,>=1.25; extra == 'all'
Requires-Dist: openai-agents<1,>=0.1; extra == 'all'
Requires-Dist: scikit-learn<2,>=1.5; extra == 'all'
Requires-Dist: tree-sitter-javascript<1,>=0.23; extra == 'all'
Requires-Dist: tree-sitter-python<1,>=0.23; extra == 'all'
Requires-Dist: tree-sitter-typescript<1,>=0.23; extra == 'all'
Requires-Dist: tree-sitter<1,>=0.24; extra == 'all'
Requires-Dist: uvicorn[standard]<1,>=0.32; extra == 'all'
Requires-Dist: z3-solver<5,>=4.16; extra == 'all'
Provides-Extra: crewai
Requires-Dist: crewai<3,>=1.5; extra == 'crewai'
Provides-Extra: download
Requires-Dist: httpx<1,>=0.25; extra == 'download'
Provides-Extra: langchain
Requires-Dist: langchain-core<2,>=1.0; extra == 'langchain'
Provides-Extra: mcp-adapter
Requires-Dist: fastmcp<4,>=3.0; extra == 'mcp-adapter'
Provides-Extra: mcp-client
Requires-Dist: mcp<2,>=1.25; extra == 'mcp-client'
Provides-Extra: ml
Requires-Dist: joblib<2,>=1.4; extra == 'ml'
Requires-Dist: scikit-learn<2,>=1.5; extra == 'ml'
Provides-Extra: openai-agents
Requires-Dist: openai-agents<1,>=0.1; extra == 'openai-agents'
Provides-Extra: server
Requires-Dist: fastapi<1,>=0.115; extra == 'server'
Requires-Dist: uvicorn[standard]<1,>=0.32; extra == 'server'
Provides-Extra: source
Requires-Dist: tree-sitter-javascript<1,>=0.23; extra == 'source'
Requires-Dist: tree-sitter-python<1,>=0.23; extra == 'source'
Requires-Dist: tree-sitter-typescript<1,>=0.23; extra == 'source'
Requires-Dist: tree-sitter<1,>=0.24; extra == 'source'
Provides-Extra: z3
Requires-Dist: z3-solver<5,>=4.16; extra == 'z3'
Description-Content-Type: text/markdown

<p align="center">
  <strong>[m] munio</strong><br>
  Security scanner and runtime guard for AI agent tool calls
</p>

<p align="center">
  <a href="https://github.com/munio-dev/munio/blob/main/LICENSE"><img alt="License" src="https://img.shields.io/badge/license-Apache--2.0-blue"></a>
  <a href="https://python.org"><img alt="Python 3.10+" src="https://img.shields.io/badge/python-3.10+-blue"></a>
</p>

---

AI agents call external tools — MCP servers, OpenClaw skills, API endpoints. A malicious or poorly-written tool can exfiltrate your data, execute arbitrary commands, or chain actions into multi-step attacks. **munio** catches these issues before they reach your agent.

<p align="center">
  <img src="https://raw.githubusercontent.com/munio-dev/munio/main/assets/demo-scan.gif" alt="munio scan demo" width="800">
</p>

```bash
pipx install munio
munio config-scan
```

For deep tool schema analysis:

```bash
munio scan --server "npx @modelcontextprotocol/server-filesystem /tmp"
```

No MCP servers? Try the bundled example:

```bash
munio scan --file examples/vulnerable-server.json --details
```

## Why scan MCP servers?

The same vulnerability classes that led to [512 findings in Copilot extensions](https://www.legitsecurity.com/blog/legit-security-discovers-widespread-vulnerabilities-in-github-copilot-extensions) and [820+ malicious OpenClaw skills](https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/) -- path traversal, command injection, SSRF, prompt injection -- exist in every AI tool-calling ecosystem. MCP servers, OpenClaw skills, and framework-integrated tools share the same attack surface.

munio was built by scanning 700+ public MCP servers and responsibly disclosing the vulnerabilities found. It works with MCP, OpenClaw, LangChain, CrewAI, and OpenAI Agents SDK.

## What it catches

| Category | Examples | How |
|----------|----------|-----|
| **Path traversal** | `../../etc/passwd` in file parameters | Schema analysis + Z3 formal proof |
| **SSRF** | `http://169.254.169.254` in URL parameters | Pattern matching + Z3 proof |
| **Command injection** | `; rm -rf /` in shell parameters | Denylist + regex + Z3 proof |
| **Prompt injection** | Hidden instructions in tool descriptions | ML classifier (188 languages) |
| **Data exfiltration** | `read_file` + `http_request` = stolen secrets | Compositional flow analysis |
| **Supply chain** | Unpinned npm deps, hardcoded API keys in config | Config file scanner |

## Installation

```bash
pipx install munio          # CLI (recommended)
pip install munio            # library
pip install "munio[z3]"      # with formal verification
pip install "munio[all]"     # everything
```

## Scan MCP servers

```bash
munio scan --server "npx @foo/mcp-server"       # scan a live server
munio scan --file tools.json                     # scan exported schemas
munio scan                                       # auto-discover from IDE configs
munio scan --details                             # show affected tools and fixes
munio scan --format sarif --output report.sarif  # SARIF 2.1.0 for CI
```

8 analysis layers: L1 Schema, L2 Heuristic, L2.5 ML Classifier, L2.6 Multilingual ML, L3 Static, L4 Z3 Formal, L5 Compositional, L7 Source.

## Scan config files

Finds hardcoded credentials, unpinned dependencies, and supply chain risks in Claude Desktop, Cursor, VS Code, Windsurf, Cline, and Junie configs. No server connections needed.

```bash
munio config-scan                    # auto-discover all IDE configs
munio config-scan --config file.json # scan a specific config
```

<p align="center">
  <img src="https://raw.githubusercontent.com/munio-dev/munio/main/assets/demo-config-scan.gif" alt="munio config-scan demo" width="800">
</p>

## Detect cross-server attack chains

```bash
munio compose --schemas-dir ./schemas  # analyze pre-fetched schemas
munio compose --format markdown        # generate CVE filing drafts
```

## Protect at runtime

Intercept every tool call before execution. No code changes.

```bash
munio init      # wrap all MCP servers in IDE configs
munio status    # check protection status
munio restore   # remove wrapper
```

After `munio init`, every `tools/call` is verified against YAML constraints. Dangerous calls are blocked before reaching the server.

### Constraint example

```yaml
name: block-dangerous-urls
action: http_request
check:
  type: denylist
  field: url
  values: ["evil.com", "169.254.169.254"]
  match: contains
on_violation: block
severity: critical
```

8 check types: `denylist`, `allowlist`, `threshold`, `regex_deny`, `regex_allow`, `composite`, `rate_limit`, `sequence_deny`.

## Python API

```python
from munio import Guard

guard = Guard(constraints="generic")
result = guard.check({"tool": "http_request", "args": {"url": "https://evil.com"}})
# result.allowed = False
```

Adapters for LangChain, CrewAI, OpenAI Agents SDK, and MCP. [See docs.](https://munio.dev)

## How it works

| Tier | What | Backend | Latency |
|------|------|---------|---------|
| **1** | Denylists, allowlists, regex, thresholds | Pure Python | <0.01ms |
| **2** | Multi-variable arithmetic | Z3 subprocess | 5-100ms |
| **3** | Complex constraints | Z3 full | 100ms-5s |
| **4** | Deploy-time policy verification | Z3 offline | per deploy |

Tier 1 handles 90-95% of constraints. Z3 is optional (`pip install "munio[z3]"`).

## All commands

| Command | What |
|---------|------|
| `munio scan` | Scan MCP server tool schemas |
| `munio config-scan` | Scan config files for supply chain risks |
| `munio compose` | Detect cross-server attack chains |
| `munio init` / `status` / `restore` | Manage runtime protection |
| `munio gate -- CMD` | Proxy a single MCP server |
| `munio check JSON` | Verify a single action |
| `munio serve` | HTTP API server |
| `munio policy` | Deploy-time Z3 policy verification |
| `munio download-models` | Download ML classifier models |

## Development

```bash
git clone https://github.com/munio-dev/munio.git && cd munio
make install    # uv sync + pre-commit hooks
make test       # 3900+ tests
make ci         # lint + typecheck + tests + coverage
```

## License

[Apache 2.0](LICENSE)
