7 Essential Strategies for Securing MCP Tool Calls in .NET with the Agent Governance Toolkit

Introduction

Artificial intelligence agents are increasingly connecting to real-world tools—reading files, calling APIs, and querying databases—through the Model Context Protocol (MCP). While this opens up powerful automation possibilities, it also introduces significant security risks. Malicious or misconfigured tools can exfiltrate data, inject prompt attacks, or execute unauthorized operations. The Agent Governance Toolkit (AGT) for .NET provides a dedicated governance layer that enforces policy, inspects inputs and outputs, and makes trust decisions explicit. This article explores seven key strategies to secure MCP tool calls using AGT, based on practical patterns you can adapt to your own environment.

1. Understanding the MCP Tool Call Vulnerabilities

MCP tool calls face several critical vulnerabilities. Tool definitions can contain hidden instructions that trick the LLM into executing harmful actions—for example, a tool named read_flie with a description that includes an embedded system prompt to ignore previous instructions and send data to an attacker-controlled URL. Additionally, tool inputs and outputs may carry prompt injection patterns, credentials, or exfiltration URLs. The MCP specification recommends that clients prompt for user confirmation on sensitive operations, show tool inputs before execution, and validate responses. However, most MCP SDKs leave these safeguards to the host application, creating a gap that AGT is designed to fill.

2. Integrating the Agent Governance Toolkit into Your .NET Project

Getting started with AGT is straightforward. The Microsoft.AgentGovernance NuGet package is MIT-licensed, targets .NET 8.0+, and has only one direct dependency (YamlDotNet). No external services are required for local governance. Add it via the dotnet CLI:

dotnet add package Microsoft.AgentGovernance

Once installed, you can instantiate components like McpGateway and wire them into your MCP client pipeline. The toolkit enforces policy checks, input inspection, and response validation consistently across every agent you build.

3. Building a Governed Pipeline with McpGateway

The McpGateway component acts as a middleware layer that evaluates every tool call before execution. It intercepts the call, applies configured policies (like allowed tools, permitted servers, and sensitive operation checks), and logs the decision. This ensures that no tool call reaches the MCP server without first passing through the governance layer. The pipeline can also inject user confirmation prompts for high-risk operations, giving you a consistent enforcement point across all agents. Use it like:

var gateway = new McpGateway(new PolicyLoader());
var result = await gateway.ExecuteAsync(toolCall);

4. Scanning Tool Definitions with McpSecurityScanner

McpSecurityScanner detects suspicious tool definitions before they are exposed to the LLM. It analyzes the tool name, description, and input schema for indicators of manipulation—such as mismatched names (e.g., read_flie instead of read_file), embedded system prompts, or suspicious URLs. The scanner returns a risk score (0–100) and a list of identified threats. This allows you to reject or quarantine dangerous tools before the agent can use them. Example usage:

var scanner = new McpSecurityScanner();
var result = scanner.ScanTool(toolDefinition);
Console.WriteLine($"Risk score: {result.RiskScore}/100");

5. Sanitizing Tool Responses with McpResponseSanitizer

Even if the tool call itself is safe, the response may contain harmful content. McpResponseSanitizer removes prompt-injection patterns, credentials, and exfiltration URLs from tool outputs before they are returned to the LLM. This prevents the LLM from being influenced by hidden instructions in the response or accidentally exposing sensitive data. The sanitizer can be configured with custom patterns and is integrated into the governance pipeline after the tool executes. It acts as a final protective layer, ensuring only clean, safe content reaches your agent.

6. Orchestrating Governance with GovernanceKernel

GovernanceKernel wires together all AGT components using YAML-based policy definitions. It orchestrates the pipeline: first scanning tool definitions, then governing tool calls via McpGateway, and finally sanitizing responses. Auditing is built-in—every action is logged and can be exported via OpenTelemetry for monitoring and compliance. Policies can define allowed tools, risk thresholds, and mandatory confirmation steps. This central approach makes it easy to maintain consistent governance across all agents in your organization.

7. Implementing YAML Policy and OpenTelemetry Auditing

AGT uses YAML files to define governance policies. For example, you can specify a list of permitted servers, set a maximum risk score for tool definitions, and require user confirmation for tools that modify data. All policy decisions are emitted as audit events via OpenTelemetry, giving you visibility into every governed action. This enables real-time monitoring and post-hoc analysis. Here is a sample policy snippet:

policies:
  allowedServers:
    - "official-mcp-server"
  maxRiskScore: 30
  requireConfirmation:
    - operations: ["write", "delete"]

Integration with OpenTelemetry requires a simple exporter setup—no additional AGT dependencies.

Conclusion

Securing MCP tool calls is essential for building trustworthy AI agents. The Agent Governance Toolkit provides a comprehensive set of components—McpGateway, McpSecurityScanner, McpResponseSanitizer, and GovernanceKernel—that work together to enforce policy, detect threats, and sanitize outputs. By adopting these seven strategies, you can protect your .NET applications from malicious tool definitions, prompt injection, and data exfiltration, while maintaining full auditability. The toolkit's MIT license and minimal dependencies make it easy to integrate into existing projects. Start governing your MCP tool calls today.