How to validate tool arguments in MCP servers
Treat model-generated parameters as untrusted input. Validate shape, ranges, and paths before policy and execution.
MCP tool handlers should validate every argument as untrusted input. Strong schemas reduce command injection, path traversal, and malformed requests that models can generate under adversarial influence.
Key takeaways
- Use explicit type and range checks on every tool parameter.
- Reject unknown keys and normalize file paths safely.
- Validation should run before runtime policy decision and execution.
Implementation checklist
- Adopt schema validation with strict mode.
- Add path allowlists for file and shell-related tools.
- Return structured validation errors for operator triage.
People also ask
Are model-generated arguments safer than user input?
No. Model output can be manipulated and should be treated with the same distrust as internet-facing input.
Should validation happen inside or outside the model?
Outside the model, in deterministic server code that cannot be bypassed by prompt-level attacks.
Can validation replace approval workflows?
No. Validation ensures shape and constraints; approval workflows handle business and risk decisions.
Related: MCP server security checklist (2026): what to lock down first, MCP server action gate: verify Model Context Protocol tools before execution.
More: all posts · runtime trust layer · open Sanctum Console