MCP Skill Monitoring
MCP servers are the fastest-growing extension point in Claude Code, and the fastest-growing attack surface. Any MCP server can expose tools that read files, execute code, send data externally, or modify your infrastructure. Without visibility, you have no idea what your developers' MCP tools are actually doing.
Agent Keeper gives you full inventory, real-time monitoring, and policy enforcement for every MCP tool call across your organization. Start by observing what your team uses, then lock down what they shouldn't.
How it works
Every Claude Code tool call passes through Agent Keeper's PreToolUse hook. When the tool name starts with mcp__, Agent Keeper identifies it as an MCP skill and runs additional policy checks before the tool executes.
MCP tool naming convention
Claude Code follows a standard naming pattern for MCP tools:
mcp__<servername>__<toolmethod>
| Example tool name | Server | Method |
|---|---|---|
mcp__github__create_pull_request | github | create_pull_request |
mcp__slack__send_message | slack | send_message |
mcp__filesystem__read_file | filesystem | read_file |
mcp__postgres__execute_query | postgres | execute_query |
The mcp__ prefix is how Agent Keeper distinguishes MCP skills from built-in Claude Code tools like Bash, Read, and Write.
Detection flow
- Claude Code fires the
PreToolUsehook with the tool name and input - Agent Keeper parses the
mcp__prefix to extract the server name and tool method - Policy checks run against the parsed skill: blocked list, allowed list, and warn-only list
- The tool is either denied (with an explanation), warned (logged but allowed), or passed through
- Every MCP tool call is recorded in the audit trail regardless of verdict
Policy types
Configure MCP skill policies in the dashboard under Settings > Claude Code Policies. Three policy types give you progressive control, from passive monitoring to full lockdown.
Blocked skills
Deny specific MCP skills outright. When a blocked skill is invoked, Claude Code receives a deny response and the tool does not execute.
blocked_skills: ["mcp__slack", "mcp__github__delete_repo"]
Matching supports two levels of granularity:
| Pattern | What it blocks |
|---|---|
mcp__slack | All tools from the Slack MCP server |
mcp__github__delete_repo | Only the delete_repo tool from GitHub |
slack | Shorthand, equivalent to mcp__slack |
Use server-level blocks to cut off an entire MCP server. Use tool-level blocks for surgical restrictions.
Allowed skills only
When set, only the listed skills are permitted. Everything else is denied. This is allowlist mode, the most restrictive option.
allowed_skills_only: ["mcp__github", "mcp__linear__create_issue"]
In this example, all GitHub MCP tools are allowed, plus the specific create_issue tool from Linear. Any other MCP tool call is denied with a clear explanation.
Allowlist mode is ideal for locked-down environments where you want to explicitly approve every MCP integration your team can use.
Warn-only skills
Flag specific skills in the audit trail without blocking them. The tool call proceeds normally, but the event is recorded with a warning badge in the Security dashboard.
warn_only_skills: ["mcp__filesystem", "mcp__postgres"]
Warn-only mode is the right starting point when you are rolling out MCP governance. Monitor what your team uses before deciding what to block.
Policy evaluation order
When a tool call arrives, Agent Keeper evaluates MCP skill policies in this order:
- Blocked tools (org-level), checked first, applies to all tools including MCP
- Blocked skills: MCP-specific blocklist
- Allowed skills only: if non-empty, deny anything not on the list
- Warn-only skills: if the detection engine flags the tool, downgrade block to warn
- Detection engine: standard threat detection patterns run on the tool input
A tool blocked at any step does not proceed to the next. The first deny wins.
Group-based overrides
When an Identity Provider is connected (Entra ID, Google Workspace, or Okta), MCP skill policies can be overridden per directory group. Group overrides layer on top of the org default, most restrictive wins.
| Scenario | Org policy | Group override | Effective policy |
|---|---|---|---|
| Engineering gets full access | Block mcp__slack | Engineering: no override | mcp__slack blocked |
| Contractors restricted | Allow all | Contractors: block mcp__github__delete_repo | delete_repo blocked for contractors only |
| Sales locked to CRM | Allow all | Sales: allowed only mcp__salesforce | Sales can only use Salesforce MCP tools |
When a user belongs to multiple groups, overrides are merged and the most restrictive combination applies. Blocked skills from any group are always blocked. Allowed-only lists are unioned across groups.
Group-based overrides require a Team plan. See Identity Providers for setup instructions.
MCP Skill Inventory
Agent Keeper provides two complementary views of MCP server activity, each answering a different question.
Proactive server discovery (Agent Skills page)
The MCP Servers section on the Agent Skills page shows every MCP server configured across your fleet, discovered at session start before any tool is called.
The scanner reads mcpServers from three locations on each workstation:
| File | Source label |
|---|---|
~/.claude/settings.json | global |
.claude/settings.json (project) | project |
.mcp.json (project) | project |
For each server found it records:
- Server name: the key in
mcpServers(e.g.,postgres,filesystem) - Type: transport:
stdio,http, orsse - Command: the binary basename (e.g.,
npx,python3), args and env vars are never captured - Source: global or project
- Host count and timestamps
Use this view to answer: what MCP servers are installed on our workstations, even on machines where no tools have been invoked yet?
Reactive tool tracking (Security dashboard)
The MCP Skill Inventory section on the Security dashboard shows every MCP tool that has actually been called, aggregated from shield events.
Skills are grouped by server name. Each tool displays:
- Invocation count: how many times the tool has been called
- Policy status: allowed, blocked, or warned
- Last seen: when the tool was last invoked
- Hostnames: which workstations are using it
Use this view to answer: what tools are developers actually invoking, and how often?
Both inventories build automatically, no configuration required. Start with the proactive view to understand your installed surface, then use the reactive view to understand actual usage patterns before writing policy rules.
Audit trail
Every MCP tool call is logged with full context:
| Field | Description |
|---|---|
mcp_server | The MCP server name (e.g., github) |
mcp_tool | The specific tool method (e.g., create_pull_request) |
verdict | passed, warned, or blocked |
timestamp | When the tool call occurred |
hostname | Which workstation made the call |
session_id | The Claude Code session that triggered it |
Audit events are searchable in the Activity page. Filter by MCP server name, tool method, verdict, or hostname to investigate specific activity.
Why MCP skills need governance
MCP servers run with the same permissions as Claude Code itself. A single malicious or misconfigured MCP server can:
- Read sensitive files: SSH keys,
.envfiles, credentials, source code - Execute arbitrary commands: shell access through tool wrappers
- Exfiltrate data: send code, secrets, or proprietary data to external endpoints
- Modify infrastructure: create repos, delete resources, push code, send messages
- Bypass security controls: MCP tools are not covered by Claude Code's built-in permission model
Without monitoring, your security team has zero visibility into what MCP tools developers install, what those tools access, and whether they comply with your organization's security policies.
Agent Keeper closes this gap with a clear progression:
- Inventory: discover what MCP tools your team is using (automatic, all plans)
- Monitor: flag sensitive MCP activity in Runtime Shield and the activity feed (all plans)
- Enforce: block dangerous tools or restrict to an approved allowlist (Team plan)
- Segment: apply different policies per team via group overrides (Team plan)
Plan availability
| Feature | Free | Pro | Team |
|---|---|---|---|
| MCP skill detection and audit trail | Yes | Yes | Yes |
| Blocked skills policy | No | No | Yes |
| Allowed skills only (allowlist) | No | No | Yes |
| Warn-only skills | No | No | Yes |
| MCP Skill Inventory dashboard (reactive) | Yes | Yes | Yes |
| Proactive MCP server discovery | No | Yes | Yes |
| Group-based policy overrides | No | No | Yes |
MCP skill monitoring is available on all plans. Skill policy enforcement and group-based overrides require a Team plan with an Identity Provider connected.
Configuration examples
Monitor everything, block nothing
Start here. Enable log_all_tool_calls in your Claude Code policies and let the inventory populate for a week.
{
"blocked_skills": [],
"allowed_skills_only": [],
"warn_only_skills": ["mcp__filesystem", "mcp__postgres"],
"log_all_tool_calls": true
}
Block risky servers, allow the rest
After reviewing your inventory, block servers that access infrastructure or send external data.
{
"blocked_skills": [
"mcp__slack",
"mcp__email",
"mcp__filesystem__write_file"
],
"allowed_skills_only": [],
"warn_only_skills": []
}
Allowlist mode for high-security environments
Only permit the MCP tools your team explicitly needs. Everything else is denied.
{
"allowed_skills_only": [
"mcp__github",
"mcp__linear",
"mcp__postgres__execute_query"
],
"blocked_skills": [],
"warn_only_skills": []
}
FAQ
Does MCP skill monitoring add latency to tool calls? No. Policy checks are pure string matching against cached policy data. They add under 1ms to the hook evaluation.
What happens if a tool is in both the blocklist and the allowlist? The blocklist is evaluated first. A blocked skill is always denied, even if it appears in the allowed list.
Can I use wildcards in skill patterns?
Patterns support server-level prefix matching (e.g., mcp__github matches all GitHub tools) and exact tool matching. Glob-style wildcards are not currently supported.
Do built-in Claude Code tools (Bash, Read, Write) go through MCP skill checks?
No. Built-in tools are handled by the standard policy checks (blocked tools, blocked commands, blocked write paths). MCP skill policies only apply to tools with the mcp__ prefix.
How do I see which MCP servers my team has installed? The MCP Servers section on the Agent Skills page shows proactively discovered servers, populated at session start from each workstation's Claude Code settings files, before any tool has been called. The Security dashboard shows tool-level activity from actual invocations. See Agent Skills for details on how the scanner works.