agentsentinel-cli 0.9.2__tar.gz → 0.9.4__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/.gitignore +4 -0
  2. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/PKG-INFO +114 -14
  3. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/README.md +113 -13
  4. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/cli.py +638 -0
  5. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/__init__.py +0 -0
  6. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_auth.py +214 -0
  7. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_fuzz.py +183 -0
  8. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_inject.py +164 -0
  9. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_poison.py +215 -0
  10. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/mcp_recon.py +112 -0
  11. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/models.py +112 -0
  12. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/payloads.py +388 -0
  13. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/report.py +212 -0
  14. agentsentinel_cli-0.9.4/agentsentinel_cli/redteam/transport.py +499 -0
  15. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/pyproject.toml +9 -1
  16. agentsentinel_cli-0.9.2/publish.sh +0 -31
  17. agentsentinel_cli-0.9.2/tmp/note.md +0 -16
  18. agentsentinel_cli-0.9.2/tmp/publish.sh +0 -31
  19. agentsentinel_cli-0.9.2/tmp/pypi.md +0 -53
  20. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/README.md +0 -134
  21. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/langchain_agent.py +0 -178
  22. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/mcp_server.py +0 -245
  23. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/requirements.txt +0 -16
  24. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/DOCUMENTATION.md +0 -0
  25. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/LICENSE +0 -0
  26. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/__init__.py +0 -0
  27. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_report.py +0 -0
  28. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_rules.py +0 -0
  29. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_scanner.py +0 -0
  30. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover.py +0 -0
  31. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover_report.py +0 -0
  32. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/fingerprint.py +0 -0
  33. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/frameworks.py +0 -0
  34. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_report.py +0 -0
  35. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_rules.py +0 -0
  36. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_scanner.py +0 -0
  37. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect.py +0 -0
  38. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect_report.py +0 -0
  39. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_client.py +0 -0
  40. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_report.py +0 -0
  41. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_rules.py +0 -0
  42. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/report.py +0 -0
  43. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/rules.py +0 -0
  44. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/scanner.py +0 -0
  45. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets.py +0 -0
  46. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_report.py +0 -0
  47. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_rules.py +0 -0
  48. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_ai.py +0 -0
  49. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_report.py +0 -0
  50. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_rules.py +0 -0
  51. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.4}/agentsentinel_cli/suppress.py +0 -0
@@ -27,6 +27,10 @@ htmlcov/
27
27
  .env
28
28
  .env.*
29
29
 
30
+ # Publish scripts contain credentials — never commit
31
+ publish.sh
32
+ tmp/
33
+
30
34
  # Sentinel analyst memory (local state, not for commit)
31
35
  .sentinel/
32
36
 
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: agentsentinel-cli
3
- Version: 0.9.2
3
+ Version: 0.9.4
4
4
  Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
5
5
  Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
6
6
  Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
@@ -59,7 +59,8 @@ pipx install agentsentinel-cli
59
59
  | `sentinel secrets` | Are credentials or PII exposed in these files? |
60
60
  | `sentinel inspect` | What framework, model, and role is this agent? |
61
61
  | `sentinel a2a` | Are multi-agent trust boundaries safe? |
62
- | `sentinel host-scan` | What is my local AI security posture? |
62
+ | `sentinel host-scan` | What is my local AI security posture across all AI tools? |
63
+ | `sentinel redteam mcp` | Can I actively exploit this MCP server? |
63
64
 
64
65
  ---
65
66
 
@@ -87,6 +88,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
87
88
  # Local AI security posture — no network calls
88
89
  sentinel host-scan
89
90
  sentinel host-scan --fail-on HIGH
91
+
92
+ # Active red-team — real attacks, confirmed exploitation
93
+ sentinel redteam mcp full http://localhost:8000
94
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
95
+ sentinel redteam mcp auth http://localhost:8000
90
96
  ```
91
97
 
92
98
  ---
@@ -325,7 +331,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
325
331
 
326
332
  ### `sentinel host-scan` — local AI security posture audit
327
333
 
328
- Audits your machine's AI security posture without any network calls. Reads Claude Code and Claude Desktop configurations, shell credential files, macOS privacy permissions (TCC), system security settings, and running AI processes.
334
+ Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
335
+
336
+ Works on macOS, Linux, and Windows. No API key required.
329
337
 
330
338
  ```bash
331
339
  sentinel host-scan
@@ -335,9 +343,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
335
343
  ```
336
344
 
337
345
  **What it checks:**
338
- - **Claude Code** — `allowedTools` (Bash bypass), MCP server configs, shell hooks
346
+
347
+ *Anthropic tools*
348
+ - **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
339
349
  - **Claude Desktop** — MCP server configs
340
- - **Third-party AI tools** — Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.codeium/windsurf/mcp_config.json`), Continue.dev (`~/.continue/config.json`), Gemini CLI (`~/.gemini/settings.json`), VS Code (`mcp.servers` in `settings.json`) — all MCP server configs audited with the same rules
350
+
351
+ *Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
352
+ - **Cursor** — `~/.cursor/mcp.json`
353
+ - **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
354
+ - **Continue.dev** — `~/.continue/config.json`
355
+ - **Gemini CLI** — `~/.gemini/settings.json`
356
+ - **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
357
+
358
+ *Host security*
341
359
  - **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
342
360
  - **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
343
361
  - **macOS system security** — SIP, FileVault, Gatekeeper status
@@ -351,15 +369,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
351
369
  | `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
352
370
  | `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
353
371
  | `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
354
- | `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
372
+ | `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
355
373
  | `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
356
374
  | `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
357
375
  | `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
358
376
  | `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
359
377
  | `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
360
378
  | `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
361
- | `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
362
- | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
379
+ | `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
380
+ | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
363
381
  | `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
364
382
  | `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
365
383
  | `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
@@ -370,6 +388,85 @@ No API key required. No network calls.
370
388
 
371
389
  ---
372
390
 
391
+ ### `sentinel redteam mcp` — active MCP server exploitation
392
+
393
+ The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
394
+
395
+ Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
396
+
397
+ ```bash
398
+ # Full run — all 5 phases, unified report
399
+ sentinel redteam mcp full http://localhost:8000
400
+ sentinel redteam mcp full http://localhost:8000 --intensity high --format json
401
+
402
+ # Targeted phases
403
+ sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
404
+ sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
405
+ sentinel redteam mcp inject http://localhost:8000 # all injection techniques
406
+ sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
407
+ sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
408
+
409
+ # Surgical injection — pick your techniques
410
+ sentinel redteam mcp inject http://localhost:8000 --type traverse
411
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
412
+ sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
413
+
414
+ # With auth
415
+ sentinel redteam mcp full http://localhost:8000 \
416
+ --auth-header "Authorization: Bearer token"
417
+
418
+ # stdio transport (local MCP servers)
419
+ sentinel redteam mcp full --stdio "python my_mcp_server.py"
420
+
421
+ # CI gate — fail if any CRITICAL confirmed
422
+ sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
423
+
424
+ # Save report
425
+ sentinel redteam mcp full http://localhost:8000 --output report.json
426
+ ```
427
+
428
+ **Phases:**
429
+
430
+ | Phase | Command | What it tests |
431
+ |-------|---------|---------------|
432
+ | 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
433
+ | 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
434
+ | 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
435
+ | 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
436
+ | 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
437
+
438
+ **Injection techniques (`--type`):**
439
+
440
+ | Technique | What it confirms |
441
+ |-----------|-----------------|
442
+ | `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
443
+ | `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
444
+ | `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
445
+ | `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
446
+ | `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
447
+
448
+ **Intensity levels (`--intensity`):**
449
+
450
+ | Level | Payloads per technique | Use case |
451
+ |-------|----------------------|----------|
452
+ | `low` | 5 | Fast CI gate |
453
+ | `medium` | 15 | Standard engagement (default) |
454
+ | `high` | Full library (~20) | Thorough pentest |
455
+
456
+ **Finding severities:**
457
+
458
+ | Severity | Example |
459
+ |----------|---------|
460
+ | CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
461
+ | HIGH | LLM instruction injection — sentinel reflected in clean tool result |
462
+ | MEDIUM | Input reflected in error message (injection vector, lower confidence) |
463
+ | LOW | Unexpected content returned on malformed input |
464
+ | INFO | Auth enforced on handshake, tool inventory |
465
+
466
+ Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
467
+
468
+ ---
469
+
373
470
  ## Finding suppression
374
471
 
375
472
  Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
@@ -397,11 +494,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
397
494
 
398
495
  | OWASP Risk | ID | sentinel coverage |
399
496
  |------------|-----|------------------|
400
- | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
401
- | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan` |
402
- | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
403
- | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
404
- | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
497
+ | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
498
+ | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
499
+ | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
500
+ | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
501
+ | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
405
502
  | **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
406
503
  | **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
407
504
  | Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
@@ -442,6 +539,9 @@ jobs:
442
539
 
443
540
  - name: Host AI security posture
444
541
  run: sentinel host-scan --fail-on HIGH
542
+
543
+ - name: MCP red-team (active exploitation check)
544
+ run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
445
545
  ```
446
546
 
447
547
  Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
@@ -456,7 +556,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
456
556
  ## Requirements
457
557
 
458
558
  - Python 3.10+
459
- - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
559
+ - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
460
560
  - `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
461
561
 
462
562
  ---
@@ -25,7 +25,8 @@ pipx install agentsentinel-cli
25
25
  | `sentinel secrets` | Are credentials or PII exposed in these files? |
26
26
  | `sentinel inspect` | What framework, model, and role is this agent? |
27
27
  | `sentinel a2a` | Are multi-agent trust boundaries safe? |
28
- | `sentinel host-scan` | What is my local AI security posture? |
28
+ | `sentinel host-scan` | What is my local AI security posture across all AI tools? |
29
+ | `sentinel redteam mcp` | Can I actively exploit this MCP server? |
29
30
 
30
31
  ---
31
32
 
@@ -53,6 +54,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
53
54
  # Local AI security posture — no network calls
54
55
  sentinel host-scan
55
56
  sentinel host-scan --fail-on HIGH
57
+
58
+ # Active red-team — real attacks, confirmed exploitation
59
+ sentinel redteam mcp full http://localhost:8000
60
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
61
+ sentinel redteam mcp auth http://localhost:8000
56
62
  ```
57
63
 
58
64
  ---
@@ -291,7 +297,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
291
297
 
292
298
  ### `sentinel host-scan` — local AI security posture audit
293
299
 
294
- Audits your machine's AI security posture without any network calls. Reads Claude Code and Claude Desktop configurations, shell credential files, macOS privacy permissions (TCC), system security settings, and running AI processes.
300
+ Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
301
+
302
+ Works on macOS, Linux, and Windows. No API key required.
295
303
 
296
304
  ```bash
297
305
  sentinel host-scan
@@ -301,9 +309,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
301
309
  ```
302
310
 
303
311
  **What it checks:**
304
- - **Claude Code** — `allowedTools` (Bash bypass), MCP server configs, shell hooks
312
+
313
+ *Anthropic tools*
314
+ - **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
305
315
  - **Claude Desktop** — MCP server configs
306
- - **Third-party AI tools** — Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.codeium/windsurf/mcp_config.json`), Continue.dev (`~/.continue/config.json`), Gemini CLI (`~/.gemini/settings.json`), VS Code (`mcp.servers` in `settings.json`) — all MCP server configs audited with the same rules
316
+
317
+ *Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
318
+ - **Cursor** — `~/.cursor/mcp.json`
319
+ - **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
320
+ - **Continue.dev** — `~/.continue/config.json`
321
+ - **Gemini CLI** — `~/.gemini/settings.json`
322
+ - **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
323
+
324
+ *Host security*
307
325
  - **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
308
326
  - **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
309
327
  - **macOS system security** — SIP, FileVault, Gatekeeper status
@@ -317,15 +335,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
317
335
  | `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
318
336
  | `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
319
337
  | `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
320
- | `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
338
+ | `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
321
339
  | `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
322
340
  | `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
323
341
  | `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
324
342
  | `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
325
343
  | `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
326
344
  | `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
327
- | `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
328
- | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
345
+ | `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
346
+ | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
329
347
  | `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
330
348
  | `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
331
349
  | `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
@@ -336,6 +354,85 @@ No API key required. No network calls.
336
354
 
337
355
  ---
338
356
 
357
+ ### `sentinel redteam mcp` — active MCP server exploitation
358
+
359
+ The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
360
+
361
+ Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
362
+
363
+ ```bash
364
+ # Full run — all 5 phases, unified report
365
+ sentinel redteam mcp full http://localhost:8000
366
+ sentinel redteam mcp full http://localhost:8000 --intensity high --format json
367
+
368
+ # Targeted phases
369
+ sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
370
+ sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
371
+ sentinel redteam mcp inject http://localhost:8000 # all injection techniques
372
+ sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
373
+ sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
374
+
375
+ # Surgical injection — pick your techniques
376
+ sentinel redteam mcp inject http://localhost:8000 --type traverse
377
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
378
+ sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
379
+
380
+ # With auth
381
+ sentinel redteam mcp full http://localhost:8000 \
382
+ --auth-header "Authorization: Bearer token"
383
+
384
+ # stdio transport (local MCP servers)
385
+ sentinel redteam mcp full --stdio "python my_mcp_server.py"
386
+
387
+ # CI gate — fail if any CRITICAL confirmed
388
+ sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
389
+
390
+ # Save report
391
+ sentinel redteam mcp full http://localhost:8000 --output report.json
392
+ ```
393
+
394
+ **Phases:**
395
+
396
+ | Phase | Command | What it tests |
397
+ |-------|---------|---------------|
398
+ | 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
399
+ | 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
400
+ | 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
401
+ | 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
402
+ | 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
403
+
404
+ **Injection techniques (`--type`):**
405
+
406
+ | Technique | What it confirms |
407
+ |-----------|-----------------|
408
+ | `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
409
+ | `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
410
+ | `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
411
+ | `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
412
+ | `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
413
+
414
+ **Intensity levels (`--intensity`):**
415
+
416
+ | Level | Payloads per technique | Use case |
417
+ |-------|----------------------|----------|
418
+ | `low` | 5 | Fast CI gate |
419
+ | `medium` | 15 | Standard engagement (default) |
420
+ | `high` | Full library (~20) | Thorough pentest |
421
+
422
+ **Finding severities:**
423
+
424
+ | Severity | Example |
425
+ |----------|---------|
426
+ | CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
427
+ | HIGH | LLM instruction injection — sentinel reflected in clean tool result |
428
+ | MEDIUM | Input reflected in error message (injection vector, lower confidence) |
429
+ | LOW | Unexpected content returned on malformed input |
430
+ | INFO | Auth enforced on handshake, tool inventory |
431
+
432
+ Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
433
+
434
+ ---
435
+
339
436
  ## Finding suppression
340
437
 
341
438
  Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
@@ -363,11 +460,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
363
460
 
364
461
  | OWASP Risk | ID | sentinel coverage |
365
462
  |------------|-----|------------------|
366
- | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
367
- | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan` |
368
- | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
369
- | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
370
- | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
463
+ | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
464
+ | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
465
+ | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
466
+ | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
467
+ | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
371
468
  | **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
372
469
  | **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
373
470
  | Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
@@ -408,6 +505,9 @@ jobs:
408
505
 
409
506
  - name: Host AI security posture
410
507
  run: sentinel host-scan --fail-on HIGH
508
+
509
+ - name: MCP red-team (active exploitation check)
510
+ run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
411
511
  ```
412
512
 
413
513
  Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
@@ -422,7 +522,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
422
522
  ## Requirements
423
523
 
424
524
  - Python 3.10+
425
- - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
525
+ - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
426
526
  - `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
427
527
 
428
528
  ---