Blog

MCP security

mcpinput-validationsecuritytool-use

How to Validate MCP Tool Arguments (2026 Security Guide)

7-step checklist: schema validation, path allowlists, range checks, and pre-execution gates. Stop confused-deputy and injection paths before MCP tools run.

May 27, 20266 min read

MCP tool handlers should validate every argument as untrusted input. Strong schemas reduce command injection, path traversal, and malformed requests that models can generate under adversarial influence.

How to validate MCP tool arguments

Model-generated parameters are untrusted input — same as a public web form. Validation runs in deterministic server code before policy and before execution.

  • Use strict schema mode — reject unknown keys.
  • Normalize and allowlist file paths; block .. traversal.
  • Enforce numeric ranges and string length limits.
  • Return structured errors operators can triage in approval queues.
  • Run validation before verifyAction so policy sees clean context.

Key takeaways

  • Use explicit type and range checks on every tool parameter.
  • Reject unknown keys and normalize file paths safely.
  • Validation should run before runtime policy decision and execution.

Implementation checklist

  1. Adopt schema validation with strict mode.
  2. Add path allowlists for file and shell-related tools.
  3. Return structured validation errors for operator triage.

People also ask

Are model-generated arguments safer than user input?

No. Model output can be manipulated and should be treated with the same distrust as internet-facing input.

Should validation happen inside or outside the model?

Outside the model, in deterministic server code that cannot be bypassed by prompt-level attacks.

Can validation replace approval workflows?

No. Validation ensures shape and constraints; approval workflows handle business and risk decisions.

Guides: agentic AI risk · MCP security · runtime authorization · HITL approvals · coding agents · get startedMore: all posts · AI trust layer · open Sanctum Console

Give every agent action a trust boundary.

Start with Connect Agent, keep the SDK path for deeper fleets, and prove exactly what was approved, blocked, or contained.