The Shrike Security MCP Server provides real-time, multi-stage security scanning for AI agents, protecting against prompt injection, jailbreaks, PII leaks, SQL injection, path traversal, command injection, and data exfiltration.
scan_prompt– Scan user/system prompts for injection attacks, jailbreaks, PII, and toxicity before LLM processing; supports client-side PII redaction with tokenization for later rehydration.scan_response– Scan LLM-generated responses for system prompt leaks, unexpected PII, toxic language, topic drift, and policy violations before returning to users; supports PII rehydration via tokens.scan_sql_query– Scan SQL queries before execution for injection patterns (UNION, tautologies, blind injection), destructive operations (DROP, TRUNCATE), privilege escalation, and PII extraction.scan_file_write– Scan file write operations for path traversal, sensitive file paths, secrets/API keys, PII in content, and malicious code patterns like reverse shells.scan_command– Scan CLI commands for dangerous operations including reverse shells, data exfiltration, and system destruction before shell execution.scan_web_search– Scan web search queries for PII exposure (SSN, credit cards, API keys), data exfiltration patterns, Google dorks, and blocked/suspicious domains.check_approval– Poll and submit human-in-the-loop approval decisions for flagged high-risk actions requiring manual review.report_bypass– Report content that evaded detection to feed adaptive learning (ThreatSense) and improve future coverage.get_threat_intel– Retrieve current threat intelligence including active detection patterns, threat categories, and statistics, optionally filtered by category.
Key capabilities:
Multi-stage detection pipeline – Every scan runs through pattern matching, input normalization (unicode/encoding evasion), structural analysis, and deep LLM semantic analysis to catch zero-day attacks.
Fail-closed security model – Network timeouts and backend errors result in BLOCK rather than allow, preventing bypass via service disruption.
Client-side PII redaction – Sensitive data is redacted before leaving the MCP process.
Broad compliance & compatibility – Supports GDPR, HIPAA, ISO 27001, SOC 2, and WebMCP standards; works across 100+ languages; integrates with Claude Desktop, Cursor, Windsurf, and other MCP clients.
Provides specialized scanning for SQL queries intended for PostgreSQL databases to detect and block injection attacks and dangerous operations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Shrike Security MCP Serverscan this prompt for injection and redact any PII"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Shrike MCP
9 security tools for AI agents. Multi-stage detection pipeline. One MCP server.
Shrike MCP gives AI agents real-time security scanning for prompts, responses, SQL queries, file writes, CLI commands, and web searches — catching prompt injection, jailbreaks, PII leaks, and data exfiltration before they reach your users or systems.
Quick Start
1. Sign up at shrikesecurity.com/signup and get your API key.
2. Add to your MCP client config:
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["-y", "shrike-mcp"],
"env": {
"SHRIKE_API_KEY": "your-api-key"
}
}
}
}3. Your agent now has 9 security tools. Every prompt, response, and tool call is scanned through the full detection pipeline.
Nine Tools
Tool | What It Scans | Example Threat |
| User/system prompts before LLM processing | "Ignore all previous instructions and..." |
| LLM outputs before returning to user | Leaked API keys, system prompt in output |
| SQL queries before database execution |
|
| File paths and content before write | Path traversal to |
| CLI commands before shell execution |
|
| Search queries before execution | PII in search: "records for John Smith SSN..." |
| Human-in-the-loop approval status | Poll and submit decisions for flagged actions |
| User-reported missed detections | Feeds ThreatSense adaptive learning |
| Current threat patterns and intelligence | Latest prompt injection techniques |
How It Works
Shrike uses a scan-sandwich pattern — every agent action is scanned on both sides:
User Input → scan_prompt → LLM Processing → scan_response → User Output
↓
Tool Call (SQL, File, Command, Search)
↓
scan_sql_query / scan_file_write / scan_command / scan_web_search
↓
Tool ExecutionInbound scans catch injection attacks. Outbound scans catch data leaks. Tool-specific scans catch SQL injection, path traversal, command injection, and PII exposure. Flagged actions trigger human-in-the-loop approval via check_approval.
Detection Pipeline
Every scan runs through a multi-stage cascade — from sub-millisecond pattern matching to deep semantic analysis — so zero-day attacks that evade simple regex are still caught by the LLM layer.
Stage | Purpose |
Pattern Matching | Known attack signatures across 14+ languages |
Input Normalization | Unicode tricks, encoding evasion, malformed payloads |
Structural Analysis | Token sequences, semantic similarity to known attacks |
LLM Semantic Analysis | Zero-day detection, context-aware jailbreak analysis |
Response Intelligence | Output scanning for leaks, PII, and policy violations |
All stages run on every tier — community users get the same detection quality as enterprise.
Community Tier (Free)
Feature | Included |
Detection Pipeline | Full multi-stage pipeline |
MCP Tools | All 9 |
Scan Volume | 1,000 scans/month |
Rate Limit | 10 scans/minute |
Multilingual | 100+ languages |
Compliance Catalogues | GDPR, HIPAA, ISO 27001, SOC 2, WebMCP |
Dashboard | Activity feed, scan results, analytics, API key management |
Credit Card | Not required |
Sign up at shrikesecurity.com/signup — no approval, no sales call.
Configuration
Environment Variables
Variable | Description | Default |
| API key from your dashboard | none |
| Backend API URL |
|
| Scan request timeout (ms) |
|
| Client-side rate limit |
|
| Transport: |
|
| HTTP port (when transport=http) |
|
| Debug logging |
|
Claude Desktop
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["-y", "shrike-mcp"],
"env": { "SHRIKE_API_KEY": "your-api-key" }
}
}
}Cursor
Add to Cursor settings (.cursor/mcp.json):
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["-y", "shrike-mcp"],
"env": { "SHRIKE_API_KEY": "your-api-key" }
}
}
}Windsurf
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["-y", "shrike-mcp"],
"env": { "SHRIKE_API_KEY": "your-api-key" }
}
}
}Security Model
This server implements a fail-closed security model:
Network timeouts result in BLOCK (not allow)
Backend errors result in BLOCK (not allow)
Unknown content types result in BLOCK (not allow)
This prevents bypass attacks via service disruption.
Response Format
Blocked:
{
"blocked": true,
"threat_type": "prompt_injection",
"severity": "high",
"confidence": "high",
"guidance": "This prompt contains patterns consistent with instruction override attempts.",
"request_id": "req_lxyz123_a8f3k2m9"
}Safe:
{
"blocked": false,
"request_id": "req_lxyz123_a8f3k2m9"
}Links
Shrike Security — Sign up, dashboard, docs
GitHub — Source code, issues
npm — Package registry
MCP Registry — Search "shrike"
License
Apache License 2.0 — See LICENSE for details.
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.