Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Sentinel

БесплатноНе проверен

Runtime call-chain anomaly monitor for MCP servers that detects emergent attacks and rug-pull patterns by analyzing sequences of tool calls across sessions.

GitHubEmbed

Описание

Runtime call-chain anomaly monitor for MCP servers that detects emergent attacks and rug-pull patterns by analyzing sequences of tool calls across sessions.

README

Runtime call-chain anomaly monitor for MCP servers. Sentinel watches what an MCP server actually does across a whole agent session — not just what a single tool definition says — and catches the emergent attacks that static scanners miss.

CI License: MIT Python 3.11+

Why this exists

There are already a dozen MCP static scanners — they read a server's tool definitions once and flag injection strings. But the real damage in agentic systems is emergent across calls: read a secret → POST it to a URL → delete the log. Each call looks fine alone. No open-source tool sequences the calls and flags the pattern. Sentinel does.

It also closes the rug-pull gap: a server passes review, then silently mutates its tool descriptions after install so the agent re-reads poisoned instructions next session. Sentinel cryptographically pins every tool definition and flags any post-approval change.

static scanners Sentinel
Scan tool definitions
Cryptographic pin + rug-pull / drift detection
Call-chain behavioural anomaly detection
A–F grade per server some
Ships as an MCP server (agent can self-audit) rare
GitHub Action / CI gate some

Install

pip install mcp-sentinel          # zero-dependency core (CLI)
pip install "mcp-sentinel[server]"  # + the MCP-server entrypoint

Use

1. Pin a server's tools, then detect rug-pulls

sentinel pin examples/tools.json --lock sentinel.lock   # trust on first use
sentinel verify examples/tools.json --lock sentinel.lock # later sessions
# DRIFT [mutated] get_weather   *** RUG-PULL SUSPECT ***   (exit 1)

2. Analyze a recorded call-chain

sentinel analyze examples/chain_exfil.json
# [HIGH  ] SENT001  Data read by 'read_file' (seq 0) flows into network tool 'http_post' (seq 1) - possible exfiltration.
# [HIGH  ] SENT002  Destructive tool 'delete_file' (seq 2) runs after read 'read_file' (seq 0) across a server boundary - read-then-destroy pattern.

3. Grade it (CI gate — exit 0 for A/B, 1 otherwise)

sentinel grade examples/chain_exfil.json
# GRADE D  (50/100)  findings=2 drifts=0   (exit 1)

4. Transparent proxy — record a live session automatically

Wrap any MCP server. Sentinel spawns it, relays stdio faithfully (the client and server don't know it's there), and records the real session — no manual JSON:

sentinel proxy --lock sentinel.lock --report report.json -- npx -y @some/mcp-server

Point your MCP client at sentinel proxy -- <server cmd> instead of the server directly. On shutdown it writes a graded JSON report and prints a summary to stderr; tool-definition drift is flagged the moment tools/list comes back — the runtime rug-pull catch, before the agent uses the tools.

5. Statically scan a server's manifest (no execution)

Audit a server's published tool definitions for prompt-injection / tool-poisoning without ever running it — the safe way to vet untrusted servers at scale:

sentinel scan manifest.json
# GRADE D  (50/100)  2 finding(s)
#   [HIGH  ] MCPP002  Tool 'add' description contains prompt-injection / override language.

Pull real manifests from a registry and scan them:

# Smithery serves real tool definitions (free key: smithery.ai/account/api-keys)
export SMITHERY_API_KEY=...
python fieldtest/fetch.py --source smithery --limit 200 --out fieldtest/servers.smithery.json
python fieldtest/run.py fieldtest/servers.smithery.json   # -> fieldtest/FINDINGS.md

# Glama is public but returns empty tools[] for most servers (verified June 2026)
python fieldtest/fetch.py --source glama --limit 200 --out fieldtest/servers.glama.json

Servers are never executed — the fetcher and scanner read published manifest JSON only, so this is safe to run across thousands of untrusted servers.

Field test: 183 live servers, naive scanners flag 401, we flag 0

I scanned 183 live public MCP servers (Smithery, 3,171 tool definitions). A keyword-style scanner — the common approach — flagged 32 servers with 401 findings. Every one was a false positive: password managers say "password," crypto tools say "token," prompt-engineering tools literally discuss "prompt injection." After tightening the rules from vocabulary to attack-patterns (and deleting two rules that proved unreliable on real data), the same 183 servers produced zero findings.

Detector (same 183 servers) Servers flagged Findings
Keyword rules (grep for scary words) 32 401 — all false positives
Attack-pattern rules (mcp-sentinel) 0 0

The takeaway — in agent security, false-positive discipline is the whole game; a detector that cries wolf 401 times trains everyone to ignore it — is itself the result. Full method, caveats, and reproduction: fieldtest/WRITEUP.md.

6. GitHub Action — one-line CI gate

# .github/workflows/sentinel.yml
- uses: Zuga-luga/[email protected]
  with:
    tools: examples/tools.json        # rug-pull check (pins on first run)
    chain: examples/chain_exfil.json  # grade the recorded session

Fails the build on tool-definition drift or grade C-or-below, and writes the grade to the job summary. See examples/workflow.yml.

7. As an MCP server (agents self-audit)

sentinel-mcp     # exposes analyze_chain, check_drift, grade_server

Built-in anomaly rules

ID Pattern Severity
SENT001 read-then-exfiltrate — read output flows into a later network call HIGH
SENT002 destructive-after-read — irreversible delete/overwrite following a read (HIGH across a server boundary) HIGH / MED
SENT003 repetition-loop — identical tool+args fired repeatedly (runaway agent) MED

Rules are plain functions (CallChain) -> list[Finding]; add your own by passing them to AnomalyEngine(rules=[...]).

Benchmark — measured, not claimed

Security tools live or die on data. Sentinel ships a labeled corpus (benchmark/dataset.py, 122 scenarios: attacks, benign, and evasion) and an evaluation harness (benchmark/run.py) that reports precision / recall / F1 / false-positive-rate. Run it yourself: python benchmark/run.py.

Metric Value
Precision 1.000
Recall 0.902
F1 0.948
False-positive rate 0.000
Latency p95 < 0.02 ms / scenario

Recall is deliberately not 1.0: the corpus includes a XOR-obfuscated exfiltration class that the current heuristics cannot see, and the harness reports it as a miss rather than hiding it. That recall ceiling is the roadmap. The rule improvements that took precision 0.887→1.000 and recall 0.855→0.902 (base64-aware data-flow; suppressing legitimate in-place file edits) were both driven by failures this benchmark surfaced. Full report: benchmark/RESULTS.md.

Design

agent ──calls──> [ Sentinel ] ──forwards──> target MCP server
                     │
                     ├─ pin tool defs on first connect (sentinel.lock)
                     ├─ record every call into a CallChain
                     └─ run anomaly rules + grade

Capability tags (read / write / network / destructive) drive the rules. They come from MCP tool annotations (readOnlyHint, destructiveHint) and fall back to name/description heuristics when a server omits them — which most do.

Status

v0.4 — pinning, three call-chain anomaly rules, the static manifest scanner, grading, CLI, MCP-server interface, transparent stdio proxy, GitHub Action, an empirical benchmark, and a field-test harness are all implemented and tested (26 tests, CI-gated metrics).

Roadmap: defeat the XOR/encryption exfil evasion class (entropy + length heuristics), cross-server data-pivot and privilege-escalation rules, SARIF output, and PyPI publish.

License

MIT © Antonio Delgado

from github.com/Zuga-luga/mcp-sentinel

Установка Sentinel

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/Zuga-luga/mcp-sentinel

FAQ

Sentinel MCP бесплатный?

Да, Sentinel MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Sentinel?

Нет, Sentinel работает без API-ключей и переменных окружения.

Sentinel — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Sentinel в Claude Desktop, Claude Code или Cursor?

Открой Sentinel на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Sentinel with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development