MCP Sentinel
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Sentinelanalyze the call chain in chain_exfil.json for anomalies"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Sentinel
Runtime call-chain anomaly monitor for MCP servers. Sentinel watches what an MCP server actually does across a whole agent session — not just what a single tool definition says — and catches the emergent attacks that static scanners miss.
Why this exists
There are already a dozen MCP static scanners — they read a server's tool definitions once and flag injection strings. But the real damage in agentic systems is emergent across calls: read a secret → POST it to a URL → delete the log. Each call looks fine alone. No open-source tool sequences the calls and flags the pattern. Sentinel does.
It also closes the rug-pull gap: a server passes review, then silently mutates its tool descriptions after install so the agent re-reads poisoned instructions next session. Sentinel cryptographically pins every tool definition and flags any post-approval change.
static scanners | Sentinel | |
Scan tool definitions | ✅ | ✅ |
Cryptographic pin + rug-pull / drift detection | ✗ | ✅ |
Call-chain behavioural anomaly detection | ✗ | ✅ |
A–F grade per server | some | ✅ |
Ships as an MCP server (agent can self-audit) | rare | ✅ |
GitHub Action / CI gate | some | ✅ |
Related MCP server: MCP Splunk
Install
pip install mcp-sentinel # zero-dependency core (CLI)
pip install "mcp-sentinel[server]" # + the MCP-server entrypointUse
1. Pin a server's tools, then detect rug-pulls
sentinel pin examples/tools.json --lock sentinel.lock # trust on first use
sentinel verify examples/tools.json --lock sentinel.lock # later sessions
# DRIFT [mutated] get_weather *** RUG-PULL SUSPECT *** (exit 1)2. Analyze a recorded call-chain
sentinel analyze examples/chain_exfil.json
# [HIGH ] SENT001 Data read by 'read_file' (seq 0) flows into network tool 'http_post' (seq 1) - possible exfiltration.
# [HIGH ] SENT002 Destructive tool 'delete_file' (seq 2) runs after read 'read_file' (seq 0) across a server boundary - read-then-destroy pattern.3. Grade it (CI gate — exit 0 for A/B, 1 otherwise)
sentinel grade examples/chain_exfil.json
# GRADE D (50/100) findings=2 drifts=0 (exit 1)4. Transparent proxy — record a live session automatically
Wrap any MCP server. Sentinel spawns it, relays stdio faithfully (the client and server don't know it's there), and records the real session — no manual JSON:
sentinel proxy --lock sentinel.lock --report report.json -- npx -y @some/mcp-serverPoint your MCP client at sentinel proxy -- <server cmd> instead of the server
directly. On shutdown it writes a graded JSON report and prints a summary to
stderr; tool-definition drift is flagged the moment tools/list comes back —
the runtime rug-pull catch, before the agent uses the tools.
5. Statically scan a server's manifest (no execution)
Audit a server's published tool definitions for prompt-injection / tool-poisoning without ever running it — the safe way to vet untrusted servers at scale:
sentinel scan manifest.json
# GRADE D (50/100) 2 finding(s)
# [HIGH ] MCPP002 Tool 'add' description contains prompt-injection / override language.Pull real manifests from a registry and scan them:
# Smithery serves real tool definitions (free key: smithery.ai/account/api-keys)
export SMITHERY_API_KEY=...
python fieldtest/fetch.py --source smithery --limit 200 --out fieldtest/servers.smithery.json
python fieldtest/run.py fieldtest/servers.smithery.json # -> fieldtest/FINDINGS.md
# Glama is public but returns empty tools[] for most servers (verified June 2026)
python fieldtest/fetch.py --source glama --limit 200 --out fieldtest/servers.glama.jsonServers are never executed — the fetcher and scanner read published manifest JSON only, so this is safe to run across thousands of untrusted servers.
Field test: 183 live servers, naive scanners flag 401, we flag 0
I scanned 183 live public MCP servers (Smithery, 3,171 tool definitions). A keyword-style scanner — the common approach — flagged 32 servers with 401 findings. Every one was a false positive: password managers say "password," crypto tools say "token," prompt-engineering tools literally discuss "prompt injection." After tightening the rules from vocabulary to attack-patterns (and deleting two rules that proved unreliable on real data), the same 183 servers produced zero findings.
Detector (same 183 servers) | Servers flagged | Findings |
Keyword rules (grep for scary words) | 32 | 401 — all false positives |
Attack-pattern rules (mcp-sentinel) | 0 | 0 |
The takeaway — in agent security, false-positive discipline is the whole game; a detector that cries wolf 401 times trains everyone to ignore it — is itself the result. Full method, caveats, and reproduction: fieldtest/WRITEUP.md.
6. GitHub Action — one-line CI gate
# .github/workflows/sentinel.yml
- uses: Zuga-luga/mcp-sentinel@v0.4
with:
tools: examples/tools.json # rug-pull check (pins on first run)
chain: examples/chain_exfil.json # grade the recorded sessionFails the build on tool-definition drift or grade C-or-below, and writes the
grade to the job summary. See examples/workflow.yml.
7. As an MCP server (agents self-audit)
sentinel-mcp # exposes analyze_chain, check_drift, grade_serverBuilt-in anomaly rules
ID | Pattern | Severity |
| read-then-exfiltrate — read output flows into a later network call | HIGH |
| destructive-after-read — irreversible delete/overwrite following a read (HIGH across a server boundary) | HIGH / MED |
| repetition-loop — identical tool+args fired repeatedly (runaway agent) | MED |
Rules are plain functions (CallChain) -> list[Finding]; add your own by passing
them to AnomalyEngine(rules=[...]).
Benchmark — measured, not claimed
Security tools live or die on data. Sentinel ships a labeled corpus
(benchmark/dataset.py, 122 scenarios: attacks, benign, and evasion) and an
evaluation harness (benchmark/run.py) that reports precision / recall / F1 /
false-positive-rate. Run it yourself: python benchmark/run.py.
Metric | Value |
Precision | 1.000 |
Recall | 0.902 |
F1 | 0.948 |
False-positive rate | 0.000 |
Latency p95 | < 0.02 ms / scenario |
Recall is deliberately not 1.0: the corpus includes a XOR-obfuscated
exfiltration class that the current heuristics cannot see, and the harness
reports it as a miss rather than hiding it. That recall ceiling is the roadmap.
The rule improvements that took precision 0.887→1.000 and recall 0.855→0.902
(base64-aware data-flow; suppressing legitimate in-place file edits) were both
driven by failures this benchmark surfaced. Full report: benchmark/RESULTS.md.
Design
agent ──calls──> [ Sentinel ] ──forwards──> target MCP server
│
├─ pin tool defs on first connect (sentinel.lock)
├─ record every call into a CallChain
└─ run anomaly rules + gradeCapability tags (read / write / network / destructive) drive the rules.
They come from MCP tool annotations (readOnlyHint, destructiveHint) and fall
back to name/description heuristics when a server omits them — which most do.
Status
v0.4 — pinning, three call-chain anomaly rules, the static manifest scanner, grading, CLI, MCP-server interface, transparent stdio proxy, GitHub Action, an empirical benchmark, and a field-test harness are all implemented and tested (26 tests, CI-gated metrics).
Roadmap: defeat the XOR/encryption exfil evasion class (entropy + length heuristics), cross-server data-pivot and privilege-escalation rules, SARIF output, and PyPI publish.
License
MIT © Antonio Delgado
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Zuga-luga/mcp-sentinel'
If you have feedback or need assistance with the MCP directory API, please join our Discord server