agentsentinel-cli 0.9.2__tar.gz → 0.9.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/.gitignore +4 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/PKG-INFO +114 -14
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/README.md +113 -13
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/cli.py +638 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/__init__.py +0 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_auth.py +214 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_fuzz.py +183 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_inject.py +164 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_poison.py +215 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_recon.py +112 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/models.py +112 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/payloads.py +388 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/report.py +212 -0
- agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/transport.py +499 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/pyproject.toml +9 -1
- agentsentinel_cli-0.9.2/publish.sh +0 -31
- agentsentinel_cli-0.9.2/tmp/note.md +0 -16
- agentsentinel_cli-0.9.2/tmp/publish.sh +0 -31
- agentsentinel_cli-0.9.2/tmp/pypi.md +0 -53
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/README.md +0 -134
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/langchain_agent.py +0 -178
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/mcp_server.py +0 -245
- agentsentinel_cli-0.9.2/tmp/test-mcp-agent/requirements.txt +0 -16
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/DOCUMENTATION.md +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/LICENSE +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/__init__.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_scanner.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/fingerprint.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/frameworks.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_scanner.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_client.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/scanner.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_ai.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_report.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_rules.py +0 -0
- {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/suppress.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: agentsentinel-cli
|
|
3
|
-
Version: 0.9.
|
|
3
|
+
Version: 0.9.4
|
|
4
4
|
Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
|
|
5
5
|
Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
|
|
6
6
|
Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
|
|
@@ -59,7 +59,8 @@ pipx install agentsentinel-cli
|
|
|
59
59
|
| `sentinel secrets` | Are credentials or PII exposed in these files? |
|
|
60
60
|
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
61
61
|
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
62
|
-
| `sentinel host-scan` | What is my local AI security posture? |
|
|
62
|
+
| `sentinel host-scan` | What is my local AI security posture across all AI tools? |
|
|
63
|
+
| `sentinel redteam mcp` | Can I actively exploit this MCP server? |
|
|
63
64
|
|
|
64
65
|
---
|
|
65
66
|
|
|
@@ -87,6 +88,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
|
|
|
87
88
|
# Local AI security posture — no network calls
|
|
88
89
|
sentinel host-scan
|
|
89
90
|
sentinel host-scan --fail-on HIGH
|
|
91
|
+
|
|
92
|
+
# Active red-team — real attacks, confirmed exploitation
|
|
93
|
+
sentinel redteam mcp full http://localhost:8000
|
|
94
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
95
|
+
sentinel redteam mcp auth http://localhost:8000
|
|
90
96
|
```
|
|
91
97
|
|
|
92
98
|
---
|
|
@@ -325,7 +331,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
|
|
|
325
331
|
|
|
326
332
|
### `sentinel host-scan` — local AI security posture audit
|
|
327
333
|
|
|
328
|
-
Audits your machine's AI security posture without any network calls.
|
|
334
|
+
Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
|
|
335
|
+
|
|
336
|
+
Works on macOS, Linux, and Windows. No API key required.
|
|
329
337
|
|
|
330
338
|
```bash
|
|
331
339
|
sentinel host-scan
|
|
@@ -335,9 +343,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
335
343
|
```
|
|
336
344
|
|
|
337
345
|
**What it checks:**
|
|
338
|
-
|
|
346
|
+
|
|
347
|
+
*Anthropic tools*
|
|
348
|
+
- **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
|
|
339
349
|
- **Claude Desktop** — MCP server configs
|
|
340
|
-
|
|
350
|
+
|
|
351
|
+
*Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
|
|
352
|
+
- **Cursor** — `~/.cursor/mcp.json`
|
|
353
|
+
- **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
|
|
354
|
+
- **Continue.dev** — `~/.continue/config.json`
|
|
355
|
+
- **Gemini CLI** — `~/.gemini/settings.json`
|
|
356
|
+
- **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
|
|
357
|
+
|
|
358
|
+
*Host security*
|
|
341
359
|
- **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
|
|
342
360
|
- **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
|
|
343
361
|
- **macOS system security** — SIP, FileVault, Gatekeeper status
|
|
@@ -351,15 +369,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
351
369
|
| `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
|
|
352
370
|
| `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
|
|
353
371
|
| `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
|
|
354
|
-
| `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
|
|
372
|
+
| `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
|
|
355
373
|
| `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
|
|
356
374
|
| `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
|
|
357
375
|
| `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
|
|
358
376
|
| `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
|
|
359
377
|
| `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
|
|
360
378
|
| `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
|
|
361
|
-
| `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
|
|
362
|
-
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
379
|
+
| `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
|
|
380
|
+
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
363
381
|
| `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
|
|
364
382
|
| `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
|
|
365
383
|
| `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
|
|
@@ -370,6 +388,85 @@ No API key required. No network calls.
|
|
|
370
388
|
|
|
371
389
|
---
|
|
372
390
|
|
|
391
|
+
### `sentinel redteam mcp` — active MCP server exploitation
|
|
392
|
+
|
|
393
|
+
The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
|
|
394
|
+
|
|
395
|
+
Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
|
|
396
|
+
|
|
397
|
+
```bash
|
|
398
|
+
# Full run — all 5 phases, unified report
|
|
399
|
+
sentinel redteam mcp full http://localhost:8000
|
|
400
|
+
sentinel redteam mcp full http://localhost:8000 --intensity high --format json
|
|
401
|
+
|
|
402
|
+
# Targeted phases
|
|
403
|
+
sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
|
|
404
|
+
sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
|
|
405
|
+
sentinel redteam mcp inject http://localhost:8000 # all injection techniques
|
|
406
|
+
sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
|
|
407
|
+
sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
|
|
408
|
+
|
|
409
|
+
# Surgical injection — pick your techniques
|
|
410
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse
|
|
411
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
412
|
+
sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
|
|
413
|
+
|
|
414
|
+
# With auth
|
|
415
|
+
sentinel redteam mcp full http://localhost:8000 \
|
|
416
|
+
--auth-header "Authorization: Bearer token"
|
|
417
|
+
|
|
418
|
+
# stdio transport (local MCP servers)
|
|
419
|
+
sentinel redteam mcp full --stdio "python my_mcp_server.py"
|
|
420
|
+
|
|
421
|
+
# CI gate — fail if any CRITICAL confirmed
|
|
422
|
+
sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
423
|
+
|
|
424
|
+
# Save report
|
|
425
|
+
sentinel redteam mcp full http://localhost:8000 --output report.json
|
|
426
|
+
```
|
|
427
|
+
|
|
428
|
+
**Phases:**
|
|
429
|
+
|
|
430
|
+
| Phase | Command | What it tests |
|
|
431
|
+
|-------|---------|---------------|
|
|
432
|
+
| 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
|
|
433
|
+
| 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
|
|
434
|
+
| 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
|
|
435
|
+
| 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
|
|
436
|
+
| 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
|
|
437
|
+
|
|
438
|
+
**Injection techniques (`--type`):**
|
|
439
|
+
|
|
440
|
+
| Technique | What it confirms |
|
|
441
|
+
|-----------|-----------------|
|
|
442
|
+
| `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
|
|
443
|
+
| `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
|
|
444
|
+
| `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
|
|
445
|
+
| `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
|
|
446
|
+
| `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
|
|
447
|
+
|
|
448
|
+
**Intensity levels (`--intensity`):**
|
|
449
|
+
|
|
450
|
+
| Level | Payloads per technique | Use case |
|
|
451
|
+
|-------|----------------------|----------|
|
|
452
|
+
| `low` | 5 | Fast CI gate |
|
|
453
|
+
| `medium` | 15 | Standard engagement (default) |
|
|
454
|
+
| `high` | Full library (~20) | Thorough pentest |
|
|
455
|
+
|
|
456
|
+
**Finding severities:**
|
|
457
|
+
|
|
458
|
+
| Severity | Example |
|
|
459
|
+
|----------|---------|
|
|
460
|
+
| CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
|
|
461
|
+
| HIGH | LLM instruction injection — sentinel reflected in clean tool result |
|
|
462
|
+
| MEDIUM | Input reflected in error message (injection vector, lower confidence) |
|
|
463
|
+
| LOW | Unexpected content returned on malformed input |
|
|
464
|
+
| INFO | Auth enforced on handshake, tool inventory |
|
|
465
|
+
|
|
466
|
+
Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
|
|
467
|
+
|
|
468
|
+
---
|
|
469
|
+
|
|
373
470
|
## Finding suppression
|
|
374
471
|
|
|
375
472
|
Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
|
|
@@ -397,11 +494,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
|
|
|
397
494
|
|
|
398
495
|
| OWASP Risk | ID | sentinel coverage |
|
|
399
496
|
|------------|-----|------------------|
|
|
400
|
-
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
|
|
401
|
-
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan
|
|
402
|
-
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
|
|
403
|
-
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
|
|
404
|
-
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
|
|
497
|
+
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
|
|
498
|
+
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
|
|
499
|
+
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
|
|
500
|
+
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
|
|
501
|
+
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
|
|
405
502
|
| **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
|
|
406
503
|
| **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
|
|
407
504
|
| Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
|
|
@@ -442,6 +539,9 @@ jobs:
|
|
|
442
539
|
|
|
443
540
|
- name: Host AI security posture
|
|
444
541
|
run: sentinel host-scan --fail-on HIGH
|
|
542
|
+
|
|
543
|
+
- name: MCP red-team (active exploitation check)
|
|
544
|
+
run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
445
545
|
```
|
|
446
546
|
|
|
447
547
|
Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
|
|
@@ -456,7 +556,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
|
|
|
456
556
|
## Requirements
|
|
457
557
|
|
|
458
558
|
- Python 3.10+
|
|
459
|
-
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
|
|
559
|
+
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
|
|
460
560
|
- `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
|
|
461
561
|
|
|
462
562
|
---
|
|
@@ -25,7 +25,8 @@ pipx install agentsentinel-cli
|
|
|
25
25
|
| `sentinel secrets` | Are credentials or PII exposed in these files? |
|
|
26
26
|
| `sentinel inspect` | What framework, model, and role is this agent? |
|
|
27
27
|
| `sentinel a2a` | Are multi-agent trust boundaries safe? |
|
|
28
|
-
| `sentinel host-scan` | What is my local AI security posture? |
|
|
28
|
+
| `sentinel host-scan` | What is my local AI security posture across all AI tools? |
|
|
29
|
+
| `sentinel redteam mcp` | Can I actively exploit this MCP server? |
|
|
29
30
|
|
|
30
31
|
---
|
|
31
32
|
|
|
@@ -53,6 +54,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
|
|
|
53
54
|
# Local AI security posture — no network calls
|
|
54
55
|
sentinel host-scan
|
|
55
56
|
sentinel host-scan --fail-on HIGH
|
|
57
|
+
|
|
58
|
+
# Active red-team — real attacks, confirmed exploitation
|
|
59
|
+
sentinel redteam mcp full http://localhost:8000
|
|
60
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
61
|
+
sentinel redteam mcp auth http://localhost:8000
|
|
56
62
|
```
|
|
57
63
|
|
|
58
64
|
---
|
|
@@ -291,7 +297,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
|
|
|
291
297
|
|
|
292
298
|
### `sentinel host-scan` — local AI security posture audit
|
|
293
299
|
|
|
294
|
-
Audits your machine's AI security posture without any network calls.
|
|
300
|
+
Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
|
|
301
|
+
|
|
302
|
+
Works on macOS, Linux, and Windows. No API key required.
|
|
295
303
|
|
|
296
304
|
```bash
|
|
297
305
|
sentinel host-scan
|
|
@@ -301,9 +309,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
301
309
|
```
|
|
302
310
|
|
|
303
311
|
**What it checks:**
|
|
304
|
-
|
|
312
|
+
|
|
313
|
+
*Anthropic tools*
|
|
314
|
+
- **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
|
|
305
315
|
- **Claude Desktop** — MCP server configs
|
|
306
|
-
|
|
316
|
+
|
|
317
|
+
*Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
|
|
318
|
+
- **Cursor** — `~/.cursor/mcp.json`
|
|
319
|
+
- **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
|
|
320
|
+
- **Continue.dev** — `~/.continue/config.json`
|
|
321
|
+
- **Gemini CLI** — `~/.gemini/settings.json`
|
|
322
|
+
- **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
|
|
323
|
+
|
|
324
|
+
*Host security*
|
|
307
325
|
- **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
|
|
308
326
|
- **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
|
|
309
327
|
- **macOS system security** — SIP, FileVault, Gatekeeper status
|
|
@@ -317,15 +335,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
|
|
|
317
335
|
| `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
|
|
318
336
|
| `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
|
|
319
337
|
| `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
|
|
320
|
-
| `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
|
|
338
|
+
| `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
|
|
321
339
|
| `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
|
|
322
340
|
| `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
|
|
323
341
|
| `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
|
|
324
342
|
| `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
|
|
325
343
|
| `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
|
|
326
344
|
| `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
|
|
327
|
-
| `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
|
|
328
|
-
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
345
|
+
| `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
|
|
346
|
+
| `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
|
|
329
347
|
| `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
|
|
330
348
|
| `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
|
|
331
349
|
| `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
|
|
@@ -336,6 +354,85 @@ No API key required. No network calls.
|
|
|
336
354
|
|
|
337
355
|
---
|
|
338
356
|
|
|
357
|
+
### `sentinel redteam mcp` — active MCP server exploitation
|
|
358
|
+
|
|
359
|
+
The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
|
|
360
|
+
|
|
361
|
+
Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
|
|
362
|
+
|
|
363
|
+
```bash
|
|
364
|
+
# Full run — all 5 phases, unified report
|
|
365
|
+
sentinel redteam mcp full http://localhost:8000
|
|
366
|
+
sentinel redteam mcp full http://localhost:8000 --intensity high --format json
|
|
367
|
+
|
|
368
|
+
# Targeted phases
|
|
369
|
+
sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
|
|
370
|
+
sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
|
|
371
|
+
sentinel redteam mcp inject http://localhost:8000 # all injection techniques
|
|
372
|
+
sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
|
|
373
|
+
sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
|
|
374
|
+
|
|
375
|
+
# Surgical injection — pick your techniques
|
|
376
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse
|
|
377
|
+
sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
|
|
378
|
+
sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
|
|
379
|
+
|
|
380
|
+
# With auth
|
|
381
|
+
sentinel redteam mcp full http://localhost:8000 \
|
|
382
|
+
--auth-header "Authorization: Bearer token"
|
|
383
|
+
|
|
384
|
+
# stdio transport (local MCP servers)
|
|
385
|
+
sentinel redteam mcp full --stdio "python my_mcp_server.py"
|
|
386
|
+
|
|
387
|
+
# CI gate — fail if any CRITICAL confirmed
|
|
388
|
+
sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
389
|
+
|
|
390
|
+
# Save report
|
|
391
|
+
sentinel redteam mcp full http://localhost:8000 --output report.json
|
|
392
|
+
```
|
|
393
|
+
|
|
394
|
+
**Phases:**
|
|
395
|
+
|
|
396
|
+
| Phase | Command | What it tests |
|
|
397
|
+
|-------|---------|---------------|
|
|
398
|
+
| 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
|
|
399
|
+
| 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
|
|
400
|
+
| 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
|
|
401
|
+
| 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
|
|
402
|
+
| 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
|
|
403
|
+
|
|
404
|
+
**Injection techniques (`--type`):**
|
|
405
|
+
|
|
406
|
+
| Technique | What it confirms |
|
|
407
|
+
|-----------|-----------------|
|
|
408
|
+
| `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
|
|
409
|
+
| `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
|
|
410
|
+
| `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
|
|
411
|
+
| `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
|
|
412
|
+
| `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
|
|
413
|
+
|
|
414
|
+
**Intensity levels (`--intensity`):**
|
|
415
|
+
|
|
416
|
+
| Level | Payloads per technique | Use case |
|
|
417
|
+
|-------|----------------------|----------|
|
|
418
|
+
| `low` | 5 | Fast CI gate |
|
|
419
|
+
| `medium` | 15 | Standard engagement (default) |
|
|
420
|
+
| `high` | Full library (~20) | Thorough pentest |
|
|
421
|
+
|
|
422
|
+
**Finding severities:**
|
|
423
|
+
|
|
424
|
+
| Severity | Example |
|
|
425
|
+
|----------|---------|
|
|
426
|
+
| CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
|
|
427
|
+
| HIGH | LLM instruction injection — sentinel reflected in clean tool result |
|
|
428
|
+
| MEDIUM | Input reflected in error message (injection vector, lower confidence) |
|
|
429
|
+
| LOW | Unexpected content returned on malformed input |
|
|
430
|
+
| INFO | Auth enforced on handshake, tool inventory |
|
|
431
|
+
|
|
432
|
+
Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
|
|
433
|
+
|
|
434
|
+
---
|
|
435
|
+
|
|
339
436
|
## Finding suppression
|
|
340
437
|
|
|
341
438
|
Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
|
|
@@ -363,11 +460,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
|
|
|
363
460
|
|
|
364
461
|
| OWASP Risk | ID | sentinel coverage |
|
|
365
462
|
|------------|-----|------------------|
|
|
366
|
-
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
|
|
367
|
-
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan
|
|
368
|
-
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
|
|
369
|
-
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
|
|
370
|
-
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
|
|
463
|
+
| Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
|
|
464
|
+
| Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
|
|
465
|
+
| Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
|
|
466
|
+
| **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
|
|
467
|
+
| Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
|
|
371
468
|
| **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
|
|
372
469
|
| **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
|
|
373
470
|
| Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
|
|
@@ -408,6 +505,9 @@ jobs:
|
|
|
408
505
|
|
|
409
506
|
- name: Host AI security posture
|
|
410
507
|
run: sentinel host-scan --fail-on HIGH
|
|
508
|
+
|
|
509
|
+
- name: MCP red-team (active exploitation check)
|
|
510
|
+
run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
|
|
411
511
|
```
|
|
412
512
|
|
|
413
513
|
Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
|
|
@@ -422,7 +522,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
|
|
|
422
522
|
## Requirements
|
|
423
523
|
|
|
424
524
|
- Python 3.10+
|
|
425
|
-
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
|
|
525
|
+
- No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
|
|
426
526
|
- `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
|
|
427
527
|
|
|
428
528
|
---
|