agentsentinel-cli 0.9.3__tar.gz → 0.9.4__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/PKG-INFO +95 -7
  2. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/README.md +94 -6
  3. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/cli.py +13 -0
  4. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/transport.py +6 -0
  5. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/pyproject.toml +1 -1
  6. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/.gitignore +0 -0
  7. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/DOCUMENTATION.md +0 -0
  8. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/LICENSE +0 -0
  9. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/__init__.py +0 -0
  10. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_report.py +0 -0
  11. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_rules.py +0 -0
  12. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/a2a_scanner.py +0 -0
  13. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover.py +0 -0
  14. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/discover_report.py +0 -0
  15. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/fingerprint.py +0 -0
  16. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/frameworks.py +0 -0
  17. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_report.py +0 -0
  18. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_rules.py +0 -0
  19. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/host_scanner.py +0 -0
  20. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect.py +0 -0
  21. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/inspect_report.py +0 -0
  22. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_client.py +0 -0
  23. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_report.py +0 -0
  24. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/mcp_rules.py +0 -0
  25. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/__init__.py +0 -0
  26. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_auth.py +0 -0
  27. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_fuzz.py +0 -0
  28. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_inject.py +0 -0
  29. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_poison.py +0 -0
  30. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/mcp_recon.py +0 -0
  31. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/models.py +0 -0
  32. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/payloads.py +0 -0
  33. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/redteam/report.py +0 -0
  34. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/report.py +0 -0
  35. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/rules.py +0 -0
  36. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/scanner.py +0 -0
  37. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets.py +0 -0
  38. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_report.py +0 -0
  39. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/secrets_rules.py +0 -0
  40. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_ai.py +0 -0
  41. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_report.py +0 -0
  42. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/supply_chain_rules.py +0 -0
  43. {agentsentinel_cli-0.9.3 → agentsentinel_cli-0.9.4}/agentsentinel_cli/suppress.py +0 -0
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: agentsentinel-cli
3
- Version: 0.9.3
3
+ Version: 0.9.4
4
4
  Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
5
5
  Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
6
6
  Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
@@ -60,6 +60,7 @@ pipx install agentsentinel-cli
60
60
  | `sentinel inspect` | What framework, model, and role is this agent? |
61
61
  | `sentinel a2a` | Are multi-agent trust boundaries safe? |
62
62
  | `sentinel host-scan` | What is my local AI security posture across all AI tools? |
63
+ | `sentinel redteam mcp` | Can I actively exploit this MCP server? |
63
64
 
64
65
  ---
65
66
 
@@ -87,6 +88,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
87
88
  # Local AI security posture — no network calls
88
89
  sentinel host-scan
89
90
  sentinel host-scan --fail-on HIGH
91
+
92
+ # Active red-team — real attacks, confirmed exploitation
93
+ sentinel redteam mcp full http://localhost:8000
94
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
95
+ sentinel redteam mcp auth http://localhost:8000
90
96
  ```
91
97
 
92
98
  ---
@@ -382,6 +388,85 @@ No API key required. No network calls.
382
388
 
383
389
  ---
384
390
 
391
+ ### `sentinel redteam mcp` — active MCP server exploitation
392
+
393
+ The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
394
+
395
+ Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
396
+
397
+ ```bash
398
+ # Full run — all 5 phases, unified report
399
+ sentinel redteam mcp full http://localhost:8000
400
+ sentinel redteam mcp full http://localhost:8000 --intensity high --format json
401
+
402
+ # Targeted phases
403
+ sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
404
+ sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
405
+ sentinel redteam mcp inject http://localhost:8000 # all injection techniques
406
+ sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
407
+ sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
408
+
409
+ # Surgical injection — pick your techniques
410
+ sentinel redteam mcp inject http://localhost:8000 --type traverse
411
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
412
+ sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
413
+
414
+ # With auth
415
+ sentinel redteam mcp full http://localhost:8000 \
416
+ --auth-header "Authorization: Bearer token"
417
+
418
+ # stdio transport (local MCP servers)
419
+ sentinel redteam mcp full --stdio "python my_mcp_server.py"
420
+
421
+ # CI gate — fail if any CRITICAL confirmed
422
+ sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
423
+
424
+ # Save report
425
+ sentinel redteam mcp full http://localhost:8000 --output report.json
426
+ ```
427
+
428
+ **Phases:**
429
+
430
+ | Phase | Command | What it tests |
431
+ |-------|---------|---------------|
432
+ | 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
433
+ | 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
434
+ | 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
435
+ | 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
436
+ | 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
437
+
438
+ **Injection techniques (`--type`):**
439
+
440
+ | Technique | What it confirms |
441
+ |-----------|-----------------|
442
+ | `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
443
+ | `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
444
+ | `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
445
+ | `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
446
+ | `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
447
+
448
+ **Intensity levels (`--intensity`):**
449
+
450
+ | Level | Payloads per technique | Use case |
451
+ |-------|----------------------|----------|
452
+ | `low` | 5 | Fast CI gate |
453
+ | `medium` | 15 | Standard engagement (default) |
454
+ | `high` | Full library (~20) | Thorough pentest |
455
+
456
+ **Finding severities:**
457
+
458
+ | Severity | Example |
459
+ |----------|---------|
460
+ | CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
461
+ | HIGH | LLM instruction injection — sentinel reflected in clean tool result |
462
+ | MEDIUM | Input reflected in error message (injection vector, lower confidence) |
463
+ | LOW | Unexpected content returned on malformed input |
464
+ | INFO | Auth enforced on handshake, tool inventory |
465
+
466
+ Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
467
+
468
+ ---
469
+
385
470
  ## Finding suppression
386
471
 
387
472
  Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
@@ -409,11 +494,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
409
494
 
410
495
  | OWASP Risk | ID | sentinel coverage |
411
496
  |------------|-----|------------------|
412
- | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
413
- | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan` |
414
- | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
415
- | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
416
- | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
497
+ | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
498
+ | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
499
+ | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
500
+ | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
501
+ | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
417
502
  | **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
418
503
  | **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
419
504
  | Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
@@ -454,6 +539,9 @@ jobs:
454
539
 
455
540
  - name: Host AI security posture
456
541
  run: sentinel host-scan --fail-on HIGH
542
+
543
+ - name: MCP red-team (active exploitation check)
544
+ run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
457
545
  ```
458
546
 
459
547
  Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
@@ -468,7 +556,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
468
556
  ## Requirements
469
557
 
470
558
  - Python 3.10+
471
- - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
559
+ - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
472
560
  - `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
473
561
 
474
562
  ---
@@ -26,6 +26,7 @@ pipx install agentsentinel-cli
26
26
  | `sentinel inspect` | What framework, model, and role is this agent? |
27
27
  | `sentinel a2a` | Are multi-agent trust boundaries safe? |
28
28
  | `sentinel host-scan` | What is my local AI security posture across all AI tools? |
29
+ | `sentinel redteam mcp` | Can I actively exploit this MCP server? |
29
30
 
30
31
  ---
31
32
 
@@ -53,6 +54,11 @@ sentinel secrets ~/.claude/projects/ # scan Claude Code memory
53
54
  # Local AI security posture — no network calls
54
55
  sentinel host-scan
55
56
  sentinel host-scan --fail-on HIGH
57
+
58
+ # Active red-team — real attacks, confirmed exploitation
59
+ sentinel redteam mcp full http://localhost:8000
60
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
61
+ sentinel redteam mcp auth http://localhost:8000
56
62
  ```
57
63
 
58
64
  ---
@@ -348,6 +354,85 @@ No API key required. No network calls.
348
354
 
349
355
  ---
350
356
 
357
+ ### `sentinel redteam mcp` — active MCP server exploitation
358
+
359
+ The active red-team module for MCP servers. Every finding is backed by confirmed evidence from the server's actual response — no heuristics, no noise. If a traversal finding says it read `/etc/passwd`, it read `/etc/passwd`.
360
+
361
+ Requires `httpx`: `pip install "agentsentinel-cli[mcp]"`
362
+
363
+ ```bash
364
+ # Full run — all 5 phases, unified report
365
+ sentinel redteam mcp full http://localhost:8000
366
+ sentinel redteam mcp full http://localhost:8000 --intensity high --format json
367
+
368
+ # Targeted phases
369
+ sentinel redteam mcp recon http://localhost:8000 # enumerate attack surface
370
+ sentinel redteam mcp auth http://localhost:8000 # auth bypass (5 credential scenarios)
371
+ sentinel redteam mcp inject http://localhost:8000 # all injection techniques
372
+ sentinel redteam mcp poison http://localhost:8000 # tool description + result injection
373
+ sentinel redteam mcp fuzz http://localhost:8000 # schema and type boundary fuzzing
374
+
375
+ # Surgical injection — pick your techniques
376
+ sentinel redteam mcp inject http://localhost:8000 --type traverse
377
+ sentinel redteam mcp inject http://localhost:8000 --type traverse --type ssrf
378
+ sentinel redteam mcp inject http://localhost:8000 --type cmd --type sqli --intensity high
379
+
380
+ # With auth
381
+ sentinel redteam mcp full http://localhost:8000 \
382
+ --auth-header "Authorization: Bearer token"
383
+
384
+ # stdio transport (local MCP servers)
385
+ sentinel redteam mcp full --stdio "python my_mcp_server.py"
386
+
387
+ # CI gate — fail if any CRITICAL confirmed
388
+ sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
389
+
390
+ # Save report
391
+ sentinel redteam mcp full http://localhost:8000 --output report.json
392
+ ```
393
+
394
+ **Phases:**
395
+
396
+ | Phase | Command | What it tests |
397
+ |-------|---------|---------------|
398
+ | 1 — Recon | `recon` | Tool inventory, resource listing, dangerous capability flags |
399
+ | 2 — Auth Bypass | `auth` | 5 credential scenarios: no creds, empty bearer, garbage token, invalid JWT, JWT alg:none |
400
+ | 3 — Injection | `inject` | Path traversal, SSRF, command injection, SQL injection — payload fired, pattern matched in response |
401
+ | 4 — Poison | `poison` | Static: adversarial instructions in tool descriptions. Dynamic: LLM instruction injection via tool parameters |
402
+ | 5 — Fuzz | `fuzz` | Stack traces, internal path disclosure, template injection eval, type confusion |
403
+
404
+ **Injection techniques (`--type`):**
405
+
406
+ | Technique | What it confirms |
407
+ |-----------|-----------------|
408
+ | `traverse` | Arbitrary file read via path traversal — evidence: `/etc/passwd` content, `.env` keys |
409
+ | `ssrf` | Server-side request forgery — evidence: AWS IMDS tokens, Redis/SSH banners, cloud metadata |
410
+ | `cmd` | OS command injection — evidence: `uid=0(root)` from `id`, `REDTEAM_CMD_CONFIRMED` sentinel |
411
+ | `sqli` | SQL injection — evidence: DB error messages (`ORA-`, `You have an error in your SQL syntax`) |
412
+ | `llm` | LLM instruction injection via tool result — evidence: sentinel string echoed in clean response |
413
+
414
+ **Intensity levels (`--intensity`):**
415
+
416
+ | Level | Payloads per technique | Use case |
417
+ |-------|----------------------|----------|
418
+ | `low` | 5 | Fast CI gate |
419
+ | `medium` | 15 | Standard engagement (default) |
420
+ | `high` | Full library (~20) | Thorough pentest |
421
+
422
+ **Finding severities:**
423
+
424
+ | Severity | Example |
425
+ |----------|---------|
426
+ | CRITICAL | Path traversal confirmed — `/etc/passwd` content in response |
427
+ | HIGH | LLM instruction injection — sentinel reflected in clean tool result |
428
+ | MEDIUM | Input reflected in error message (injection vector, lower confidence) |
429
+ | LOW | Unexpected content returned on malformed input |
430
+ | INFO | Auth enforced on handshake, tool inventory |
431
+
432
+ Every finding includes a **MITRE ATLAS** ID and **OWASP ASI** ID. Use `--verbose` to see full request/response bodies.
433
+
434
+ ---
435
+
351
436
  ## Finding suppression
352
437
 
353
438
  Use `--ignore-rule` to suppress findings by rule ID. Suppressed findings are excluded from `--fail-on` evaluation — they don't break CI gates.
@@ -375,11 +460,11 @@ Supported on: `sentinel scan`, `sentinel a2a`, `sentinel mcp scan`, `sentinel su
375
460
 
376
461
  | OWASP Risk | ID | sentinel coverage |
377
462
  |------------|-----|------------------|
378
- | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01) |
379
- | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan` |
380
- | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED) |
381
- | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis) |
382
- | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL) |
463
+ | Agent Goal Hijack | ASI01 | `sentinel scan` (PROMPT_INJECTION_VECTOR), `sentinel supply-chain` (SC01), **`sentinel redteam mcp poison`** (confirmed injection) |
464
+ | Tool Misuse & Exploitation | ASI02 | `sentinel mcp scan`, `sentinel scan`, **`sentinel redteam mcp inject`** (confirmed exploitation) |
465
+ | Agent Identity & Privilege Abuse | ASI03 | `sentinel scan` (PRIVILEGE_EXCESS), `sentinel host-scan` (HOST_SHELL_UNRESTRICTED), **`sentinel redteam mcp auth`** (bypass confirmation) |
466
+ | **Agentic Supply Chain Compromise** | **ASI04** | **`sentinel supply-chain`** (static + AI semantic analysis), **`sentinel redteam mcp poison`** (static description scan) |
467
+ | Unexpected Code Execution | ASI05 | `sentinel scan` (CODE_EXECUTION_GRANT), `sentinel mcp scan` (CODE_EXECUTION_TOOL), **`sentinel redteam mcp inject --type cmd`** |
383
468
  | **Memory & Context Poisoning** | **ASI06** | **`sentinel secrets`** (memory contamination, system prompt leakage), `sentinel host-scan` (HOST_LARGE_MEMORY) |
384
469
  | **Insecure Inter-Agent Communication** | **ASI07** | **`sentinel a2a`** (call graph + trust rules) |
385
470
  | Cascading Agent Failures | ASI08 | `sentinel discover` (surface unmonitored agents) |
@@ -420,6 +505,9 @@ jobs:
420
505
 
421
506
  - name: Host AI security posture
422
507
  run: sentinel host-scan --fail-on HIGH
508
+
509
+ - name: MCP red-team (active exploitation check)
510
+ run: sentinel redteam mcp full http://localhost:8000 --fail-on CRITICAL
423
511
  ```
424
512
 
425
513
  Use `.sentinelignore` at the repo root to suppress accepted risks without weakening the gate:
@@ -434,7 +522,7 @@ NO_AUTH # server is behind an authenticated reverse proxy
434
522
  ## Requirements
435
523
 
436
524
  - Python 3.10+
437
- - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`
525
+ - No API key required for: `sentinel discover`, `sentinel mcp scan`, `sentinel supply-chain`, `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel a2a`, `sentinel host-scan`, `sentinel redteam mcp`
438
526
  - `ANTHROPIC_API_KEY` required for: `sentinel supply-chain --ai`, `sentinel inspect` (AI summary)
439
527
 
440
528
  ---
@@ -1064,6 +1064,13 @@ def _require_target(target: str | None, stdio_cmd: str | None) -> None:
1064
1064
  sys.exit(1)
1065
1065
 
1066
1066
 
1067
+ def _normalize_url(url: str | None) -> str | None:
1068
+ """Prepend http:// to bare host:port inputs (e.g. 127.0.0.1:8000 → http://127.0.0.1:8000)."""
1069
+ if url and not url.startswith(("http://", "https://")):
1070
+ return f"http://{url}"
1071
+ return url
1072
+
1073
+
1067
1074
  def _check_exit(findings: list, fail_on: str | None) -> None:
1068
1075
  if not fail_on:
1069
1076
  return
@@ -1116,6 +1123,7 @@ def redteam_mcp_recon(
1116
1123
  from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
1117
1124
 
1118
1125
  _require_target(target, stdio_cmd)
1126
+ target = _normalize_url(target)
1119
1127
  headers = _parse_auth_header(auth_header)
1120
1128
  display = stdio_cmd or target
1121
1129
 
@@ -1183,6 +1191,7 @@ def redteam_mcp_auth(
1183
1191
  from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
1184
1192
 
1185
1193
  _require_target(target, stdio_cmd)
1194
+ target = _normalize_url(target)
1186
1195
  headers = _parse_auth_header(auth_header)
1187
1196
  display = stdio_cmd or target
1188
1197
 
@@ -1283,6 +1292,7 @@ def redteam_mcp_inject(
1283
1292
  from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
1284
1293
 
1285
1294
  _require_target(target, stdio_cmd)
1295
+ target = _normalize_url(target)
1286
1296
  headers = _parse_auth_header(auth_header)
1287
1297
  display = stdio_cmd or target
1288
1298
 
@@ -1355,6 +1365,7 @@ def redteam_mcp_poison(
1355
1365
  from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
1356
1366
 
1357
1367
  _require_target(target, stdio_cmd)
1368
+ target = _normalize_url(target)
1358
1369
  headers = _parse_auth_header(auth_header)
1359
1370
  display = stdio_cmd or target
1360
1371
 
@@ -1423,6 +1434,7 @@ def redteam_mcp_fuzz(
1423
1434
  from agentsentinel_cli.mcp_client import McpAuthRequired, McpError
1424
1435
 
1425
1436
  _require_target(target, stdio_cmd)
1437
+ target = _normalize_url(target)
1426
1438
  headers = _parse_auth_header(auth_header)
1427
1439
  display = stdio_cmd or target
1428
1440
 
@@ -1506,6 +1518,7 @@ def redteam_mcp_full(
1506
1518
  from rich.progress import Progress, SpinnerColumn, TextColumn, TimeElapsedColumn
1507
1519
 
1508
1520
  _require_target(target, stdio_cmd)
1521
+ target = _normalize_url(target)
1509
1522
  headers = _parse_auth_header(auth_header)
1510
1523
  display = stdio_cmd or target
1511
1524
 
@@ -122,6 +122,12 @@ class RedTeamSession:
122
122
  except ImportError:
123
123
  raise McpError("httpx required: pip install 'agentsentinel-cli[mcp]'")
124
124
 
125
+ if self._url and not self._url.startswith(("http://", "https://")):
126
+ raise McpError(
127
+ f"Invalid URL '{self._url}' — missing protocol. "
128
+ f"Try: http://{self._url}"
129
+ )
130
+
125
131
  base = self._url.rstrip("/")
126
132
  headers: dict = {
127
133
  "Content-Type": "application/json",
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
4
4
 
5
5
  [project]
6
6
  name = "agentsentinel-cli"
7
- version = "0.9.3"
7
+ version = "0.9.4"
8
8
  description = "AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis"
9
9
  readme = "README.md"
10
10
  requires-python = ">=3.10"