Which MCP Client is Being Attacked? How Navil Agent Identity System Works

You see an alert: "data exfiltration on navil-database (5x baseline)." Immediate question: which client triggered it?

If you're running multiple MCP clients (OpenClaw, Cursor, Claude Desktop), all connected to the same servers, this becomes critical. You need to know which one.

Navil solves this with agent identities.

Agent Identity Basics

Each wrapped MCP server gets a unique agent identity derived from the server name in your config. This identity appears on every alert, every log, every metric.

OpenClaw config:

{
  "mcpServers": {
    "filesystem": { ... },
    "github": { ... },
    "slack": { ... }
  }
}

Agents created:

• navil-filesystem
• navil-github
• navil-slack

When wrapped, these servers report anomalies tagged with their agent identity. Your dashboard groups alerts by agent, not by MCP server name.

The Visibility Gap

Here's the problem: If OpenClaw and Cursor both connect to the same "github" MCP server, you can't tell which client triggered an alert.

OpenClaw wraps -> "github" -> agent: navil-github
Cursor wraps   -> "github" -> agent: navil-github
                              ^ Same identity!

Dashboard shows a navil-github alert. Is it OpenClaw or Cursor? Unknown.

The Fix: --agent-prefix

Use --agent-prefix to namespace agent identities by client.

# Wrap OpenClaw
navil wrap ~/.openclaw/config.json --agent-prefix openclaw
 
# Wrap Cursor
navil wrap ~/.cursor/mcp.json --agent-prefix cursor

Now agents are:

• openclaw-filesystem
• openclaw-github
• openclaw-slack
• cursor-filesystem
• cursor-github
• cursor-slack

Same servers. Different prefixes. Full visibility into which client + server combo is misbehaving.

What This Enables

Per-Client Baselines: Cursor's normal filesystem traffic is not the same as OpenClaw's normal filesystem traffic. With separate agent identities, Navil learns per-client baselines and detects anomalies with higher precision.

Per-Client Policies: Write policies that target specific clients.

{
  "agents": ["cursor-*"],
  "rules": [
    {
      "type": "ratelimit",
      "calls_per_minute": 100
    }
  ]
}

Give Cursor strict rate limits. Give OpenClaw higher limits. Same server, different rules.

Fleet Debugging at Scale: Running 100 clients x 10 servers? That's 1,000 unique agent identities. You can pinpoint which client + server combo is exfiltrating data, which one is making malicious queries, which one hit a quota.

Real-World Example

You're running a team environment. Five people, each using Claude Desktop with three shared MCP servers (filesystem, slack, database).

Without prefixes: 3 agent identities. Alerts are noisy and undifferentiated.

With prefixes:

navil wrap ~/.claude/mcp.json --agent-prefix alice
navil wrap ~/.claude/mcp.json --agent-prefix bob
navil wrap ~/.claude/mcp.json --agent-prefix charlie
# ... etc

Now you have 15 agent identities. You see "charlie-database anomaly: 10x write volume." You know exactly which person's session triggered it.

Under the Hood: Privacy

Agent identities are hashed with HMAC-SHA256 before any cloud sync. Navil Cloud never sees your actual server names or client names -- only the hashed identities. You get full observability while protecting config privacy.

When to Use

Always use --agent-prefix if:

• You have multiple MCP clients
• Any servers are shared across clients
• You're in a team environment
• You need to debug anomalies at the client level

For single-client setups, it's optional but still recommended for future-proofing.

Command Reference

# Single agent prefix for all servers
navil wrap config.json --agent-prefix myprefix
 
# Preview changes
navil wrap config.json --agent-prefix myprefix --dry-run
 
# Combine with other flags
navil wrap config.json --agent-prefix myprefix --policy policy.json --only github,database

Next Steps

Check your current setup. If you're running multiple clients, wrap each with its own prefix. Then run one test request through each client and watch the agent identities populate in your dashboard.

You'll immediately see the difference.

Learn more: See agent identity configuration for advanced options like custom identity formats and per-agent policy overrides.