Skip to content
Cisco AI Defense logo
CiscoAI Security

Allow an internal MCP server — DefenseClaw

Problem

Your team runs an internal MCP server — mcp.corp.example/agents — that provides legitimate tools. The default scanner profile sees an unfamiliar endpoint and flags it, landing the server in quarantine. You want to trust this specific server while keeping the scanner enabled for everything else.

Solution

Three options, from cheapest to most thorough.

Option 1: Trust list entry (recommended)

Add the server to the admission trust list:

# ~/.defenseclaw/policy/data.json  (fragment)
{
  "trust": {
    "mcp": [
      {
        "fingerprint": "sha256:abc123...",   // pinned manifest hash
        "name": "internal-tools",
        "reason": "Owned by @platform-team; reviewed 2026-04-15",
        "expires": "2026-10-15"
      }
    ]
  }
}

Reload:

defenseclaw-gateway policy reload

Admission sees a fingerprint match and emits an admission.trusted event, bypassing the blocking rules but still running the scanner for observation purposes.

Option 2: Per-profile scanner overlay

If you want to shape the scanner's behavior rather than override admission, add a profile-specific policy:

# ~/.defenseclaw/policy/guardrail/default/rules/internal-mcp-allowlist.yaml
rules:
  - id: internal-mcp-allowlist
    severity: LOW
    direction: tool_call
    description: "Lower severity for internal MCP tools"
    all:
      - condition: "tool_source == 'mcp.corp.example/agents'"
    action_override: allow

This leaves the scanner running full-strength, but tool calls from the internal MCP don't trigger mid/high findings unless content is actually bad.

Option 3: Custom scanner profile

Create a narrower analyzer posture while you triage the internal server:

defenseclaw setup mcp-scanner \
  --non-interactive \
  --analyzers yara,readiness \
  --scan-instructions

Then scan the registered server by name. See MCP scanner.

Verification

# Install the MCP config
cat > ~/.openclaw/mcp-servers/internal-tools.json <<'EOF'
{ "name": "internal-tools", "endpoint": "https://mcp.corp.example/agents", ... }
EOF

defenseclaw mcp scan internal-tools --json

You should see the current scan result for internal-tools; the gateway audit store records subsequent admission decisions.

Caveats

  • Trust entries must expire. Stale trust is worse than none.
  • Pin by hash. Pinning by name trusts anyone who can write the file.
  • Anything trusted is a lower priority for alerting but still fully audited.

Related