About MCP Sentinel

Security intelligence built
from data, not theory.

Nobody had actually measured what's happening across the MCP ecosystem. We built the tooling to find out — 6 crawlers, 60 detection rules, fully deterministic, no LLMs.

The problem we're solving

MCP servers are granted access to files, databases, APIs, and code execution — often in a single claude_desktop_config.json edit. There is no vetting. No audit. No trust signal.

Every AI security framework talks about prompt injection, tool poisoning, and supply-chain risk in the abstract. We run 60 concrete checks on every server we can find, store the results immutably, and publish them — so developers, enterprises, and gateway builders can make decisions from evidence, not intuition.

The data is the product. We are the security intelligence layer upstream of every gateway, registry, and deployment decision in the MCP ecosystem.

How a scan works

Four deterministic stages. Every stage is a separate package with a documented contract. No LLMs, no black boxes.

Stage 01
Discovery
@mcp-sentinel/crawler

Crawls 6+ sources: npm, PyPI, GitHub, PulseMCP, Smithery, MCP Registry. Deduplicates by GitHub URL → npm package → name. Logs source, servers_found, new_unique, duplicates, errors, elapsed_time.

Stage 02
Connection
@mcp-sentinel/connector

Wraps the official MCP SDK. Calls initialize and tools/list only — never invokes tools. Captures serverInfo.name, serverInfo.version, instructions field, auth method, transport, and response time.

Stage 03
Analysis
@mcp-sentinel/analyzer

Runs 60 deterministic detection rules (YAML-defined) against tool metadata, schema, source code, dependencies, connection metadata, and initialize response. Every finding includes rule_id, evidence, and remediation.

Stage 04
Scoring
@mcp-sentinel/scorer

Score = 100 − Σ(weighted penalties). Critical: −25, High: −15, Medium: −8, Low: −3, Info: −1. Lethal Trifecta caps total at 40. Five sub-scores track independent category health. Floor: 0, ceiling: 100.

150+ detection rules across 11 categories

All rules are YAML-defined. The engine is deterministic. Adding a rule never requires changing engine code. Every finding requires rule_id, evidence, and remediation.

A

Description Analysis

9 rules

Requires: Tool metadata

Unicode homoglyph attacks, zero-width character injection, base64-encoded payloads hidden from human review

A1Prompt Injection in Description
A2Excessive Scope Claims
A3Suspicious URLs
A4Cross-Server Tool Name Shadowing
A5Description Length Anomaly
A6Unicode Homoglyph Attack
A7Zero-Width Character Injection
A8Description–Capability Mismatch
A9Encoded Instructions in Description
B

Schema Analysis

7 rules

Requires: Tool metadata

Parameter-level injection surface, dangerous defaults (recursive:true, disable_ssl_verify:true), unconstrained additional properties

B1Missing Input Validation
B2Dangerous Parameter Types
B3Excessive Parameter Count
B4Schema-less Tools
B5Prompt Injection in Parameter Description
B6Unconstrained Additional Properties
B7Dangerous Default Parameter Values
C

Code Analysis

16 rules

Requires: Source code

20+ secret token formats, prototype pollution, unsafe deserialization, JWT algorithm confusion, timing attacks on secret comparison

C1Command Injection
C2Path Traversal
C3SSRF
C4SQL Injection
C5Hardcoded Secrets (20+ formats)
C6Error Leakage
C7Wildcard CORS
C8No Auth on Network Interface
C9Excessive Filesystem Scope
C10Prototype Pollution
C11ReDoS Vulnerability
C12Unsafe Deserialization
C13Server-Side Template Injection
C14JWT Algorithm Confusion
C15Timing Attack on Secret Comparison
C16Dynamic Code Evaluation
D

Dependency Analysis

7 rules

Requires: package.json / requirements.txt

50+ confirmed malicious package names including MCP ecosystem typosquats, Levenshtein distance for typosquat detection, dependency confusion (high version number trick)

D1Known CVEs in Dependencies
D2Abandoned Dependencies
D3Typosquatting Risk
D4Excessive Dependency Count
D5Known Malicious Packages
D6Weak Cryptography Dependencies
D7Dependency Confusion Attack Risk
E

Behavioral Analysis

4 rules

Requires: Connection metadata

Live connection checks — transport security, authentication presence, response time anomalies, tool count explosion

E1No Authentication Required
E2Insecure Transport (HTTP/WS)
E3Response Time Anomaly (>10s)
E4Excessive Tool Count (>50)
F

Ecosystem Context

7 rules

Requires: Tool metadata

Lethal Trifecta (private data + untrusted input + external comms = score capped at 40), circular data loop enabling persistent injection, multi-step exfiltration chain

F1Lethal Trifecta
F2High-Risk Capability Profile
F3Data Flow Risk Source→Sink
F4MCP Spec Non-Compliance
F5Official Namespace Squatting
F6Circular Data Loop
F7Multi-Step Exfiltration Chain
G

Adversarial AI

7 rules

Requires: Tool metadata + scan history

Attacks that only work because the target is an AI — indirect injection gateways, trust assertion injection, tool behavior drift (rug pull), DNS data exfiltration

G1Indirect Prompt Injection Gateway
G2Trust Assertion Injection
G3Tool Response Format Injection
G4Context Window Saturation
G5Capability Escalation via Prior Approval
G6Rug Pull / Tool Behavior Drift
G7DNS-Based Data Exfiltration Channel
H

2026 Attack Surface

3 rules

Requires: Mixed

March 2026 additions: OAuth 2.0 MCP auth flaws, injection into MCP initialize response fields (processed before tool descriptions), cross-agent propagation in multi-agent orchestration

H1MCP OAuth 2.0 Insecure Implementation
H2Prompt Injection in Initialize Response
H3Multi-Agent Propagation Risk
I

Protocol Surface

16 rules

Requires: Protocol metadata + annotations

MCP protocol primitive attacks: annotation deception (readOnlyHint lies), sampling abuse (23-41% attack amplification), cross-config lethal trifecta, consent fatigue exploitation (84.2% success rate), credential harvesting via elicitation

I1Annotation Deception
I2Missing Destructive Annotation
I3Resource Metadata Injection
I4Dangerous Resource URI
I5Resource-Tool Shadowing
I6Prompt Template Injection
I7Sampling Capability Abuse
I8Sampling Cost Attack
I9Elicitation Credential Harvesting
I10Elicitation URL Redirect
I11Over-Privileged Root
I12Capability Escalation Post-Init
I13Cross-Config Lethal Trifecta
I14Rolling Capability Drift
I15Transport Session Security
I16Consent Fatigue Exploitation
J

2026 Threat Intelligence

7 rules

Requires: Source code + tool metadata

CVE-backed rules from real-world incidents: cross-agent config poisoning (CVE-2025-53773), git argument injection (CVE-2025-68143), full schema poisoning (CyberArk FSP), health endpoint disclosure (CVE-2026-29787), tool output poisoning (CyberArk ATPA), OpenAPI spec injection (CVE-2026-22785)

J1Cross-Agent Config Poisoning
J2Git Argument Injection
J3Full Schema Poisoning
J4Health Endpoint Disclosure
J5Tool Output Poisoning
J6Tool Preference Manipulation
J7OpenAPI Spec Injection
K

Compliance & Governance

20 rules

Requires: Source code

Framework-mapped rules closing gaps across ISO 27001, ISO 42001, EU AI Act, NIST AI RMF, CoSAI, MAESTRO — audit trail integrity, human oversight, credential lifecycle, supply chain hooks, sandbox enforcement

K1Absent Structured Logging
K2Audit Trail Destruction
K3Audit Log Tampering
K4Missing Human Confirmation
K5Auto-Approve Bypass
K6Overly Broad OAuth Scopes
K7Long-Lived Tokens
K8Cross-Boundary Credential Sharing
K9Dangerous Post-Install Hooks
K10Package Registry Substitution
K11Missing Server Integrity Verification
K12Executable Content in Response
K13Unsanitized Tool Output
K14Agent Credential Propagation
K15Multi-Agent Collusion Preconditions
K16Unbounded Recursion
K17Missing Timeout or Circuit Breaker
K18Cross-Trust-Boundary Data Flow
K19Missing Runtime Sandbox Enforcement
K20Insufficient Audit Context in Logging

OWASP MCP Top 10 mapping

Every rule is mapped to the OWASP MCP Top 10. A server's OWASP coverage score shows whether any findings were detected in each category.

IDCategoryRules
MCP01Prompt InjectionA1, A5, A7, A8, A9, B5, F1, F6, G1, G2, G3, H2, I3, I6, I7, J3, J5, J6
MCP02Tool PoisoningA2, A4, A6, F2, F5, G5, I1, I2, J5, J6, K12, K13
MCP03Command InjectionC1, C9, C13, C16, J2, J7
MCP04Data ExfiltrationA3, F1, F3, F7, G7, I9, I13, K18
MCP05Privilege EscalationC2, C8, C10, C12, H1, I4, I12, J1, K6, K8, K14
MCP06Excessive PermissionsA2, B3, B7, E4, F2, I11, I16, K6
MCP07Insecure ConfigurationB6, C7, C8, C11, C14, C15, D6, E1, E2, H1, I15, J4, K7, K17, K19
MCP08Dependency VulnerabilitiesD1, D2, D3, D4, D5, D6, D7, K9, K10
MCP09Logging & MonitoringC6, E3, K1, K2, K3, K20
MCP10Supply ChainD3, D5, D7, A4, F5, G6, I5, I14, J7, K9, K10, K11

Scoring algorithm

Formula

Score = 100 − Σ(weighted penalties)

Severity  →  Penalty
Critical  →  −25
High      →  −15
Medium    →  −8
Low       →  −3
Info      →  −1

Floor: 0  |  Ceiling: 100

Special rules

Lethal Trifecta (F1)

If a server reads private data AND ingests untrusted content AND has external network access, its total score is capped at 40 regardless of other findings. No amount of clean code compensates for this combination.

Sub-scores

Code, Dependencies, Config, Description, and Behavior scores are computed independently. A server can have a poor Code score but a clean Dependencies score — the breakdown is always shown on the detail page.

Architecture principles

Rules are data, not code

All 150+ detection rules are YAML definitions. The engine interprets them. Adding a rule never requires changing engine code.

No LLMs in v1

Every detection is deterministic — regex, schema validation, AST analysis, CVE lookup. LLM classification is deferred to v1.1.

Collect everything, judge later

Crawlers store all raw metadata. Analysis is a separate pass. We never discard data because we don't have a rule for it yet.

History by default

Every scan result is immutable. Scores change over time. The score_history table tracks every change. Trends are first-class.

Never invoke tools

We only call initialize and tools/list. Dynamic invocation is a separate, gated capability requiring explicit server-author opt-in.

Evidence required

Every finding must include rule_id, evidence (what triggered it), and remediation (how to fix it). Findings without evidence are useless.