Skip to content
Cisco AI Defense logo
CiscoAI Security

defenseclaw mcp — DefenseClaw

Overview

defenseclaw mcp — Manage MCP servers — scan, block, allow, list, set, unset.

Reference

Synopsis

defenseclaw mcp [OPTIONS]

Subcommands

SubcommandDescription
allowAllow an MCP server (by name or URL).
blockBlock an MCP server (by name or URL).
listList MCP servers configured in OpenClaw.
scanScan an MCP server by name or URL.
setAdd or update an MCP server in OpenClaw config.
unblockRemove an MCP server from the block list and clear enforcement state.
unsetRemove an MCP server from OpenClaw config.

Description

Manage MCP servers — scan, block, allow, list, set, unset

defenseclaw mcp allow

Allow an MCP server (by name or URL)

defenseclaw mcp allow <TARGET>

Arguments

NameTypeArityRequired
targettext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--reasontextnoReason for allowing

defenseclaw mcp block

Block an MCP server (by name or URL)

defenseclaw mcp block <TARGET>

Arguments

NameTypeArityRequired
targettext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--reasontextnoReason for blocking

defenseclaw mcp list

List MCP servers configured in OpenClaw

Options

FlagTypeDefaultEnv varRequiredDescription
--jsonbooleannoOutput as JSON

defenseclaw mcp scan

Scan an MCP server by name or URL

Scan an MCP server by name or URL.

TARGET can be a server name from openclaw.json or a direct URL. Use --all to scan every configured server.

defenseclaw mcp scan [TARGET]

Arguments

NameTypeArityRequired
targettext1no

Options

FlagTypeDefaultEnv varRequiredDescription
--jsonbooleannoOutput results as JSON
--analyzerstextnoComma-separated analyzer list
--scan-promptsbooleannoAlso scan MCP prompts
--scan-resourcesbooleannoAlso scan MCP resources
--scan-instructionsbooleannoAlso scan server instructions
--allbooleannoScan every server in openclaw.json

defenseclaw mcp set

Add or update an MCP server in OpenClaw config

Add or update an MCP server in OpenClaw config.

Scans the server before adding unless --skip-scan is set. Rejects servers with HIGH/CRITICAL findings.

 Examples: defenseclaw mcp set context7 --command uvx --args context7-mcp defenseclaw mcp set deepwiki --url https://mcp.deepwiki.com/mcp defenseclaw mcp set myserver --command npx --args '["-y", "@myorg/mcp-server"]' defenseclaw mcp set myserver --command node --args server.js --env API_KEY=xxx defenseclaw mcp set untrusted --url http://example.com/mcp --skip-scan

defenseclaw mcp set <NAME>

Arguments

NameTypeArityRequired
nametext1yes

Options

FlagTypeDefaultEnv varRequiredDescription
--commandtextnoServer command (e.g. npx, uvx)
--argstextnoCommand args (JSON array or comma-separated)
--urltextnoServer URL (for SSE/HTTP transport)
--transporttextnoTransport type (stdio, sse)
--envtextSentinel.UNSETnoEnv vars as KEY=VAL (repeatable)
--skip-scanbooleannoSkip security scan before adding

defenseclaw mcp unblock

Remove an MCP server from the block list and clear enforcement state

Remove an MCP server from the block list and clear enforcement state.

Unlike 'allow', this does not add the server to the allow list — it simply removes the block so the server goes through normal scanning on the next check.

defenseclaw mcp unblock <TARGET>

Arguments

NameTypeArityRequired
targettext1yes

defenseclaw mcp unset

Remove an MCP server from OpenClaw config

defenseclaw mcp unset <NAME>

Arguments

NameTypeArityRequired
nametext1yes

Usage

List and scan MCP servers

defenseclaw mcp list --json
defenseclaw mcp scan --all --json

--all scans configured MCP entries instead of a single target.

Register or block a server

defenseclaw mcp set local-tools --command npx --args "@modelcontextprotocol/server-filesystem" --skip-scan
defenseclaw mcp block local-tools --reason "pending review"

Use --skip-scan only when another gate has already reviewed the server.

Related