I have token smart contract that is ERC20 compliant. It is now transferable via any software like MyEtherWallet and similar. I wondering is it possible to forbid token transfer and allow it only using my own site/tool?
2 Answers
You can create a special account trusted to perform token transfers and customize your smartcontract to reject transfers unless they originate from that trusted account. Your trusted site/tool must have access to unlocked private key of that account to initiate transfers.
To get more inspiration, have a look at https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/contracts/ownership/Ownable.sol implementing concept of ownable tokens. It is used by https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/contracts/token/ERC20/MintableToken.sol to restrict mint() operation to the owner. You could do the same for transfer operations.
You might also want to study how multi-signature wallets do their job, like https://github.com/gnosis/MultiSigWallet.
As the previous answer suggested you can put a msg.sender == self.admin type decorator to prevent transfers. However, I question precisely why you would want to do this ?
Most scam / rug pul contracts try to do similar not that I am suggesting that you are trying to pull off something similar but...