agentsentinel-cli 0.9.2__tar.gz → 0.9.3__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/.gitignore +4 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/PKG-INFO +20 -8
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/README.md +19 -7
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/cli.py +625 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/__init__.py +0 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_auth.py +214 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_fuzz.py +183 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_inject.py +164 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_poison.py +215 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_recon.py +112 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/models.py +112 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/payloads.py +388 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/report.py +212 -0
- agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/transport.py +493 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/pyproject.toml +9 -1
- agentsentinel_cli-0.9.2/publish.sh +0 -31
- agentsentinel_cli-0.9.2/tmp/note.md +0 -16
- agentsentinel_cli-0.9.2/tmp/publish.sh +0 -31
- agentsentinel_cli-0.9.2/tmp/pypi.md +0 -53
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/README.md +0 -134
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/langchain_agent.py +0 -178
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/mcp_server.py +0 -245
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/requirements.txt +0 -16
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/DOCUMENTATION.md +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/LICENSE +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/__init__.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/a2a_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/a2a_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/a2a_scanner.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/discover.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/discover_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/fingerprint.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/frameworks.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/host_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/host_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/host_scanner.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/inspect.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/inspect_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/mcp_client.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/mcp_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/mcp_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/scanner.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/secrets.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/secrets_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/secrets_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/supply_chain_ai.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/supply_chain_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/supply_chain_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/suppress.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: agentsentinel-cli
|
|
3
|
-
Version: 0.9.
|
|
3
|
+
Version: 0.9.3
|
|
4
4
|
Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
|
|
5
5
|
Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
|
|
6
6
|
Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
|
|
@@ -59,7 +59,7 @@ pipx install agentsentinel-cli
|
|
|
59
59
|
| `sentinel secrets` | Are credentials or PII exposed in these files? |
|
|
60
60
|
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
61
61
|
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
62
|
-
| `sentinel host-scan` | What is my local AI security posture? |
|
|
62
|
+
| `sentinel host-scan` | What is my local AI security posture across all AI tools? |
|
|
63
63
|
|
|
64
64
|
---
|
|
65
65
|
|
|
@@ -325,7 +325,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
|
|
|
325
325
|
|
|
326
326
|
### `sentinel host-scan` — local AI security posture audit
|
|
327
327
|
|
|
328
|
-
Audits your machine's AI security posture without any network calls.
|
|
328
|
+
Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
|
|
329
|
+
|
|
330
|
+
Works on macOS, Linux, and Windows. No API key required.
|
|
329
331
|
|
|
330
332
|
```bash
|
|
331
333
|
sentinel host-scan
|
|
@@ -335,9 +337,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
335
337
|
```
|
|
336
338
|
|
|
337
339
|
**What it checks:**
|
|
338
|
-
|
|
340
|
+
|
|
341
|
+
*Anthropic tools*
|
|
342
|
+
- **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
|
|
339
343
|
- **Claude Desktop** — MCP server configs
|
|
340
|
-
|
|
344
|
+
|
|
345
|
+
*Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
|
|
346
|
+
- **Cursor** — `~/.cursor/mcp.json`
|
|
347
|
+
- **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
|
|
348
|
+
- **Continue.dev** — `~/.continue/config.json`
|
|
349
|
+
- **Gemini CLI** — `~/.gemini/settings.json`
|
|
350
|
+
- **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
|
|
351
|
+
|
|
352
|
+
*Host security*
|
|
341
353
|
- **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
|
|
342
354
|
- **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
|
|
343
355
|
- **macOS system security** — SIP, FileVault, Gatekeeper status
|
|
@@ -351,15 +363,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
351
363
|
| `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
|
|
352
364
|
| `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
|
|
353
365
|
| `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
|
|
354
|
-
| `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
|
|
366
|
+
| `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
|
|
355
367
|
| `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
|
|
356
368
|
| `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
|
|
357
369
|
| `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
|
|
358
370
|
| `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
|
|
359
371
|
| `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
|
|
360
372
|
| `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
|
|
361
|
-
| `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
|
|
362
|
-
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
373
|
+
| `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
|
|
374
|
+
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
363
375
|
| `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
|
|
364
376
|
| `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
|
|
365
377
|
| `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
|
|
@@ -25,7 +25,7 @@ pipx install agentsentinel-cli
|
|
|
25
25
|
| `sentinel secrets` | Are credentials or PII exposed in these files? |
|
|
26
26
|
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
27
27
|
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
28
|
-
| `sentinel host-scan` | What is my local AI security posture? |
|
|
28
|
+
| `sentinel host-scan` | What is my local AI security posture across all AI tools? |
|
|
29
29
|
|
|
30
30
|
---
|
|
31
31
|
|
|
@@ -291,7 +291,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
|
|
|
291
291
|
|
|
292
292
|
### `sentinel host-scan` — local AI security posture audit
|
|
293
293
|
|
|
294
|
-
Audits your machine's AI security posture without any network calls.
|
|
294
|
+
Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
|
|
295
|
+
|
|
296
|
+
Works on macOS, Linux, and Windows. No API key required.
|
|
295
297
|
|
|
296
298
|
```bash
|
|
297
299
|
sentinel host-scan
|
|
@@ -301,9 +303,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
301
303
|
```
|
|
302
304
|
|
|
303
305
|
**What it checks:**
|
|
304
|
-
|
|
306
|
+
|
|
307
|
+
*Anthropic tools*
|
|
308
|
+
- **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
|
|
305
309
|
- **Claude Desktop** — MCP server configs
|
|
306
|
-
|
|
310
|
+
|
|
311
|
+
*Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
|
|
312
|
+
- **Cursor** — `~/.cursor/mcp.json`
|
|
313
|
+
- **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
|
|
314
|
+
- **Continue.dev** — `~/.continue/config.json`
|
|
315
|
+
- **Gemini CLI** — `~/.gemini/settings.json`
|
|
316
|
+
- **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
|
|
317
|
+
|
|
318
|
+
*Host security*
|
|
307
319
|
- **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
|
|
308
320
|
- **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
|
|
309
321
|
- **macOS system security** — SIP, FileVault, Gatekeeper status
|
|
@@ -317,15 +329,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
317
329
|
| `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
|
|
318
330
|
| `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
|
|
319
331
|
| `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
|
|
320
|
-
| `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
|
|
332
|
+
| `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
|
|
321
333
|
| `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
|
|
322
334
|
| `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
|
|
323
335
|
| `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
|
|
324
336
|
| `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
|
|
325
337
|
| `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
|
|
326
338
|
| `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
|
|
327
|
-
| `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
|
|
328
|
-
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
339
|
+
| `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
|
|
340
|
+
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
329
341
|
| `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
|
|
330
342
|
| `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
|
|
331
343
|
| `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
|