MCP quarantine

Unknown tools are quarantined by default.

HELM treats unregistered MCP tools and external tool output as untrusted. When an agent reaches for an unknown tool, the action is denied by default and a quarantine receipt is preserved.

Unknown means untrusted. Untrusted means denied. Denied means recorded.

Run the risk test View on GitHub

The default

An unregistered tool does not get the benefit of the doubt.

When an agent can reach arbitrary MCP tools, every unknown tool carries its own blast radius. HELM closes that gap by treating the unknown as untrusted and denying its action until someone approves it.

Default-deny for the unknown

A tool that has not been registered and approved is not trusted. If policy does not explicitly allow the action, HELM denies it.

Output is untrusted

HELM treats external tool output and MCP servers as untrusted unless explicitly normalized and approved, so unreviewed output cannot act on your behalf.

The attempt is recorded

A quarantined tool call is not silent. The denial is bound to the policy that produced it and preserved as a receipt.

One path, walked through

What happens when an agent calls an unregistered tool.

Agent proposes

Agent invokes an unregistered MCP tool

HELM checks policy

Quarantines the unknown tool and checks the action

Verdict

DENY

Proof

Quarantine receipt + EvidencePack

Quarantine lifecycle

From contact to release.

Quarantine is not a dead end. It is a default-deny holding state with a clear path to approval.

Step 1

Unknown tool appears

An agent reaches for an MCP tool that is not registered or not approved.

Step 2

Quarantine on contact

HELM quarantines the unknown tool and checks the proposed action against policy.

Step 3

Default verdict: DENY

With no explicit allowance, the action is denied. Nothing runs.

Step 4

Deny receipt preserved

The denial and its policy are recorded as a quarantine receipt and EvidencePack.

Step 5

Approve to release

A reviewer can register and scope the tool. Only then does the action become eligible to run.

The deny receipt

A denial you can prove, not just a blocked call.

A blocked call that leaves no trace teaches you nothing. HELM preserves the denial so the attempt, the policy, and the source are all auditable later.

The action denied

The proposed side effect and the tool that asked for it.

The policy applied

The policy that produced the deny, bound to the verdict.

Offline verification

The quarantine receipt and EvidencePack verify outside any dashboard.

Questions

MCP quarantine, in plain terms.

What does MCP tool quarantine mean?

It means an unregistered or unapproved MCP tool is treated as untrusted on contact. HELM quarantines the unknown tool, checks the proposed action against policy, and denies it by default. Nothing runs until the tool is explicitly registered and scoped.

Why deny unknown tools by default?

A tool you have not reviewed can cause a side effect you did not intend. Denying by default means an unapproved action stops rather than proceeds, and the attempt is preserved as evidence instead of passing through unseen.

Does quarantine block tool output too?

Yes. HELM treats external tool output and MCP servers as untrusted unless explicitly normalized and approved. Output from a quarantined source does not get to act on your behalf.

What proof do I get when a tool is quarantined?

A quarantine receipt and EvidencePack record the denied action, the policy that denied it, and the source. Both verify offline, so the attempt is auditable later by anyone.

Keep reading

Follow the quarantine proof path.

MCP security Tool-call risk, authorization at the action, and receipts. Receipts vs logs Why a deny receipt beats a log line. EvidencePacks Signed, offline-verifiable proof of a quarantine. HELM AI Kernel The open-source fail-closed execution boundary.

Terms

Plain-language terms

EvidencePack

A small bundle of records used to verify one event or review path.

Use for replayable evidence slices.
ProofGraph

A record chain that helps replay and check what happened.

Use for HELM proof records and replay paths.
ALLOW

HELM lets the action run.

Use as a canonical verdict.
DENY

HELM blocks the action.

Use as a canonical verdict.
ESCALATE

HELM stops and asks for more facts, policy, or human approval.

Use as the canonical non-dispatch path for missing facts, policy hold, or approval.

See an unknown tool get quarantined.

Bring one unregistered tool to the boundary and watch the default-deny verdict and its receipt.

Run the risk test Request an architecture review