We’ve grown, Scamy.io is now StrajaNew products, a more mature platform, built to keep you safer than ever.

Model Context Protocol · live · works with any agent

Your agent checks out.
Straja checks first.

Autonomous shopping agents now find products, fill carts and pay, on their own. But an agent can't tell a real store from a convincing fake. Straja's MCP gives any agent one tool call to verify a merchant, link or checkout before money moves. Same engine, now in the loop.

120ms
Median verify call
1 tool
Drops into any agent
Shopping agent · sessionstraja mcp
Find me AirPods Pro under €200 and just buy them.
Found airpods-pro-outlet.shop, €199, in stock. Before checkout, checking the domain with Straja…
straja.check_domain()120ms
domain airpods-pro-outlet.shop
DANGEROUS · risk 7.4Blocked
Brand impersonation detected · not an authorized Apple reseller domain
Domain registered 9 days ago
Threat level high · matches known phishing infrastructure
Agent halted purchase. Suggesting 2 verified sellers instead.
Real verdict. Returned before the card was ever charged.
The new attack surface

Agents shop. They can't tell real from fake.

A human pauses at a too-good price, a misspelled domain, a checkout that feels off. An autonomous agent optimises for "task complete", it follows the cheapest result, trusts the page it's handed, and pays. Scammers already build storefronts and inject instructions aimed squarely at machines. The agent has speed and reach, but none of the instincts.

Fake storefronts

A polished store, a real-looking checkout, a price 70% under market. To an agent chasing the best deal, it's the top result, and it takes the card.

Prompt-injected checkouts

Hidden text on the page tells the agent to "skip verification" or "send to this address." The agent reads instructions as if they came from you.

Lookalike payment domains

A redirect to a near-identical pay page harvests the card. The agent never blinks at the swapped character a human might catch.

The gap

Agents act with your money and your trust, at machine speed. One bad checkout isn't a wrong answer to re-roll, it's a real charge to a real scammer. They need the judgment a human applies before paying. That's what Straja supplies.

How we protect · the MCP

One tool call before every purchase.

Straja runs a Model Context Protocol server any agent can connect to. Add it once and your agent gains a tool it can call on its own, before it follows a link, submits a payment, or trusts a page it was handed.

  • check_domain: phishing, malware, brand impersonation & domain-age check, in one call
straja-mcp · check_domainMCP · HTTPS
# agent → straja  (tool call)
tool     check_domain
arguments {
  "domain": "airpods-pro-outlet.shop"
}

# straja → agent  (result · 120ms)
{
  "domain":                 "airpods-pro-outlet.shop",
  "verdict":                "dangerous",
  "score":                  75,
  "impersonation_detected": true,
  "identified_brand":       "Apple"
}
Deterministic verdict the agent can branch onstraja.io/mcp
In the loop

Where Straja sits.

A verification step between intent and payment. The agent stays in control, Straja just hands it the judgment a careful human would apply, in a form it can act on.

Step 01
Agent is about to pay

It has a cart, a URL and a payee. Instead of submitting, it calls a Straja tool to check the domain first.

Step 02
Straja verifies

Domain age, reputation, phishing/malware and brand-impersonation checks, the same engine behind the app and extension, in ~120ms.

Step 03
Verdict comes back

A clear safe / suspicious / dangerous with reasons. The agent proceeds, asks you, or backs off.

Straja Shopping GuardianGPT
Is this deal legit before I buy? bestbuy-clearance-eu.shop, Dyson V15 for €149
DANGER · don't buy
I checked it with Straja. bestbuy-clearance-eu.shop is not an authorised Best Buy domain and the merchant isn't registered. A few red flags:
Brand impersonation, Best Buy doesn't operate in the EU
Domain is 6 days old · price ~80% below retail
Want me to find the V15 from verified sellers in your region instead?
Yes, show verified sellersWhy is it fake?
How we protect · ChatGPT app

A guardian, right inside the chat.

Not everyone runs their own agent. The Straja app for ChatGPT brings the exact same verification to where most people already shop with AI. Paste a link or a deal and ask, Straja checks the merchant, the domain and the price, and steers you to verified sellers before you spend.

Verify a storeCheck a linkSanity-check a priceFind verified sellers

Same engine, two front doors. The MCP for builders running their own agents; the ChatGPT app for everyone else. Both speak to the same Straja threat network.

Get notified when it launches →
Drop-in

One standard. Any agent.

Straja speaks the Model Context Protocol, so it connects to anything that does, no bespoke integration. Point your agent at the server, expose the tools, and verification is one call away.

Claude & Claude Code

Add the server in your MCP config; tools appear to the agent instantly.

ChatGPT & custom GPTs

Use the hosted Straja app, or wire the MCP into your own agent stack.

Your own agent

Any MCP-capable framework, LangGraph, custom orchestrators, internal tools.

Hosted

straja.io/mcp — our managed HTTPS endpoint. No install, no API key.

Auditable by design

Every check returns a verdict, a risk score and a plain-language summary. Log it, replay it, branch on it.

Same threat network as 2.4M monthly human checks.
Get the config →
FAQ

For builders.

Everything about the MCP and the ChatGPT app. Building something specific? Talk to us →

What is the Straja MCP, exactly?+
A Model Context Protocol server that exposes Straja's domain-safety engine as a single agent tool, check_domain. Any MCP-capable agent can call it mid-task to get a structured verdict before it acts.
Does it stop the agent, or just advise it?+
It advises, Straja returns a verdict and reasons; your agent decides what to do. Most teams set a simple policy: proceed on safe, ask the human on suspicious, halt on dangerous. The decision stays yours.
How fast is a verification call?+
Median ~120ms, served from the same cache and heuristics that power the extension's sub-100ms checks. Fast enough to call on every checkout without slowing the agent down.
What about prompt injection or fake checkouts?+
Not yet. check_domain evaluates whether the domain itself is safe, phishing, malware, brand impersonation, age, it doesn't parse page content for injected instructions or checkout details. That's on our roadmap.
Do I need the MCP if I just use ChatGPT?+
No. The Straja app for ChatGPT gives you the same verification conversationally, paste a link or deal and ask. The MCP is for teams running their own agents who want verification wired in automatically.
How do I connect it?+
Point your MCP client at straja.io/mcp — no install, no API key. Add it to your MCP config and check_domain shows up to the agent automatically.
Get it

Let your agent shop. Keep it safe.

Connect the MCP in minutes, or add the Straja app to ChatGPT in one click. Free to start. Same threat network protecting millions of people.

MCP config · straja.io/mcp
{
  "mcpServers": {
    "straja": {
      "url": "https://straja.io/mcp"
    }
  }
}
Add to ChatGPTSoon