Optional parameter validation acts as a security guardrail for tool arguments. It helps prevent malicious input from being processed by the MCP server. This feature is particularly useful when handling untrusted user input that flows from prompts to tool arguments.

The following details describe how optional parameter validation works and when to enable it:
  • Configuration location—This feature is configured under runtime.tools.param_validation. A legacy alias exists, and a unified configuration location is planned for future releases.
  • Purpose—Use this feature only when user input is untrusted. It protects against harmful patterns such as script URLs, directory traversal, shell command chaining, and Carriage Return and Line Feed (CRLF) injection.
  • Default behavior—Parameter validation is disabled by default to avoid unnecessary restrictions in trusted environments.