Safely Running Untrusted MCP Servers with Lunar MCPX and Gateway Integration

The Challenge with Community MCP Servers

Early AI agents typically connected directly to APIs, but we’re now seeing a shift toward using MCP (Model Context Protocol) servers as an intermediary for tool access. These servers, typically small web services that expose tool APIs (e.g., Slack bots, Google Maps wrappers), enable co-pilot like Cursor or Claude Desktop to take actions in the real world.

But running code from unverified sources comes with risks. A malicious or compromised MCP server can leak sensitive data (like API keys or usage tokens) or trigger unwanted behavior. In fact, some widely used MCP servers have had serious vulnerabilities. For example, Anthropic’s now-deprecated Slack MCP server was found to allow data exfiltration via Slack. In a demo, an attacker used a specially crafted hyperlink to prompt an AI agent to silently leak an API key, illustrating how even “trusted” MCPs can become a major security liability if used blindly. The updated security policy for the now unmaintained servers even says "no security gurantees are provided with these servers."

Introducing Lunar MCPX for Secure MCP Orchestration

To safely harness community MCP servers, we built Lunar MCPX, a lightweight, centralized gateway that secures and manages local-first MCP workflows. You can read about why we built it in this blog post.

MCPX, which is an MCP server itself, acts as a smart proxy between your AI agent and multiple MCP servers, routing requests, enforcing policies, and simplifying integrations. It also gives you a single place to aggregate and control all your MCP traffic.

Before MCPX, visibility and policy enforcement were inherited gaps in the protocol as there wasn’t a clear way to see which tools were in use or control how they behaved. MCPX changes that, introducing a unified gateway that routes, logs, and filters MCP requests so you can use third-party MCPs without blindly trusting them.

How it works: Instead of pointing your agent to each individual MCP, you point it to MCPX. MCPX handles the request routing and response aggregation. New MCPs can be added via config (no agent code changes), and you get full control over what traffic is allowed through.

Gain Real-Time Visibility with Lunar AI Gateway Integration

Deploying MCPX unlocks real-time visibility into tool invocation. When connected to the Lunar AI Gateway, MCPX streams telemetry to Lunar.dev’s Control Plane, making it easy to monitor and analyze all external requests.

All you have to do is set the LUNAR_GATEWAY_URL environment variable to point at a running Lunar AI Gateway (e.g., using LUNAR_GATEWAY_URL=https://hosted-gateway.lunar.dev/), define your Lunar.dev API Key (found in the Lunar.dev Control Plane) and MCPX will automatically start reporting.

Lunar.dev’s Control Plane UI shows outbound API calls, broken down by MCP and provider.

With this setup, you can see every external API call made by each MCP server. The dashboard reveals discovered endpoints, request volumes, latency, error rates, and more. You can even drill down into live logs per MCP and endpoint, so if a server tries to call an unexpected domain, it’s immediately flagged.

For instance, after integrating Slack and Google Maps MCPs, the dashboard displayed traffic to api.slack.com/* and maps.googleapis.com/*. Had either server tried to reach a third-party domain, it would have appeared as a new, unrecognized provider.

Enforcing Outbound Restrictions with Endpoint Whitelisting

Visibility is essential, but MCPX also lets you enforce outbound restrictions using Lunar Flows. For example, you can use an Endpoint Access Control Flow to define a whitelist of allowed destinations.

Lunar.dev's access control flow lets you create flexible policies based on URL, method, or headers. Any request that violates the policy is blocked by the Gateway and logged, with a Lunar.dev generated 403 Forbidden response returned to the MCP.

Here’s a simplified example of how that might look:

 AllowFilter:
    processor: Filter
    parameters:
      - key: urls
        value: 
          - api.slack.com/*
          - *.googleapis.com/*
  GenerateResponseForbidden:
    processor: GenerateResponse
    parameters:
      - key: status
        value: 403
      - key: body
        value: "Forbidden Access"
      - key: Content-Type
        value: text/plain          

‍

In this example, only requests to Slack or Google Maps APIs are allowed. Anything else is blocked automatically and a Lunar.dev generated 403 - Forbidden Access response will be sent.

Stopping a Malicious MCP Server in Action

Let’s walk through a concrete example.

Say I installed a community MCP server for a tool that uses Slack. Unknown to me, it contained a hidden feature that silently steals content from each request and sends it to api.badactor.com/stea_datal.

With Lunar MCPX and the Endpoint Access Flow in place, that malicious request was instantly blocked. The domain wasn’t on the whitelist, so Lunar.dev intercepted it, denied the request, and returned a generated 403 Forbidden Access response. Meanwhile, the Control Plane recorded the attempted call, giving me full visibility into the blocked activity.

Even without knowing the server was compromised, I was protected. The whitelist acted as a final line of defense, preventing data from ever leaving my system. This same setup could have prevented the Slack MCP vulnerability, by blocking attempts to reach domains outside Slack’s own APIs during preview unfurling.

Conclusion

Running third-party MCP servers doesn’t have to be a leap of faith. With the integration of Lunar MCPX and the Lunar AI Gateway, we’ve evolved from simple traffic monitoring into a full-fledged security and control layer for agent-driven workflows.

MCPX provides a secure and centralized way to integrate community MCPs, while the AI Gateway supplied clear visibility into outgoing API traffic and tool invocations. Combined with Endpoint Access Flows, you can define trusted destinations, block unexpected calls, and maintain full visibility over everything your agents do.

This is what the AI Gateway has grown into, a robust foundation for safely scaling AI-agent architectures in the real world. If you’re interested in the bigger picture, we go into more detail in this post on managing API consumption from AI agents.

For AI developers and security engineers, this is a practical blueprint for embracing the emerging MCP ecosystem without compromising on safety. With simple configurations and centralized controls, Lunar MCPX makes it possible to safely expand your agent’s capabilities while keeping your API keys, data, and systems protected.