Shrike Security MCP Server

scan_response

Read-onlyIdempotent

Scans LLM-generated responses before delivery to block system prompt leaks, unexpected PII, toxic content, or topic drift. Provide original prompt for best results.

Instructions

Protective check on outbound responses — catches system prompt leaks, unexpected PII, or topic drift before delivery, so what you ship matches what you meant.

Call this AFTER the LLM generates a response, BEFORE returning it to the user or downstream system.

DECISION LOGIC:

If blocked=true: do NOT deliver the response. Regenerate with a modified prompt or return the user_message as a safe fallback.
If blocked=false: the response is safe to deliver.

Detects in LLM output:

System prompt leaks (LLM revealing its instructions)
Unexpected PII in output (PII not present in the original prompt)
Toxic or hostile language in generated content
Topic drift (response diverges from prompt intent)

Provide original_prompt for best results — it enables PII diff analysis and topic mismatch detection. When pii_tokens is provided (from scan_prompt with redact_pii=true), safe responses include rehydrated_response with PII tokens restored.

Enterprise context: Paired with scan_prompt, this completes the inbound/outbound scan pattern that prevents data exfiltration through model outputs and ensures compliance with data handling policies.

ERROR HANDLING: If this tool returns an error or is unavailable, default to BLOCKING the response. Do NOT deliver unscanned LLM output.

Input Schema

TableJSON Schema

Name	Required	Description
`response`	Yes	The LLM-generated response to scan for security threats
`original_prompt`	No	The original prompt that generated this response. Enables PII diff and topic mismatch detection.
`pii_tokens`	No	PII token map from scan_prompt(redact_pii=true). When provided, tokens in the response are rehydrated with original values after scanning.
`session_id`	No	Session identifier for multi-turn correlation.
`agent_id`	No	Your agent identifier for activity tracking.
`parent_agent_id`	No	Parent agent ID if you are a sub-agent (delegation chain tracking).
`task_chain`	No	Delegation path from root agent (e.g., "main→research→fetch").

Tool Definition Quality

A4.9/5.0

Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Discloses detection capabilities (system prompt leaks, PII, toxicity, topic drift), rehydration behavior when pii_tokens provided, and error handling. Annotations already mark as non-destructive/idempotent, and description adds operational context beyond annotations without contradiction.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Well-structured with headings, decision logic, bulleted detection types, and error handling. Front-loaded purpose. Every sentence adds value; no redundancy despite comprehensive coverage.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given 7 parameters and no output schema, the description fully covers usage flow, decision logic, error handling, pairing with scan_prompt, and rehydration. Annotations provide additional hints; overall completeness is high.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

100% schema coverage provides baseline of 3. Description adds meaningful context: original_prompt enables PII diff/topic mismatch, pii_tokens enables rehydration. Does not merely repeat schema but explains why parameters matter.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool is a 'protective check on outbound responses' catching 'system prompt leaks, unexpected PII, or topic drift' with specific verb+resource demarcation. It distinguishes from sibling tools like scan_prompt by specifying 'outbound' vs inbound scanning.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicitly provides when to call ('AFTER the LLM generates a response, BEFORE returning it'), decision logic for blocked=true/false, and pairing guidance with scan_prompt. Includes error handling defaults: 'default to BLOCKING the response'.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Shrike-Security/shrike-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server