Docs · MCP Registry · Dashboard · Blog
pip install agentseal
agentseal guardScans your machine for dangerous skill files, MCP server configs, and toxic data flows across 17+ AI agents. No API key required.
graph TD
U["User"] -->|prompt| A["AI Agent (LLM)"]
A -->|tool call| M1["MCP Server\n(filesystem)"]
A -->|tool call| M2["MCP Server\n(slack)"]
A -->|tool call| M3["MCP Server\n(database)"]
M1 -->|reads| FS["~/.ssh/\n~/.aws/\n~/Documents/"]
M2 -->|reads| SL["Messages\nChannels"]
M3 -->|queries| DB["Tables\nCredentials"]
SL -.->|"toxic flow"| M1
M1 -.->|"exfiltration"| EX["Attacker"]
style U fill:#1a1a2e,stroke:#58a6ff,color:#e6edf3
style A fill:#1a1a2e,stroke:#58a6ff,color:#e6edf3
style M1 fill:#3b1d0e,stroke:#f59e0b,color:#e6edf3
style M2 fill:#3b1d0e,stroke:#f59e0b,color:#e6edf3
style M3 fill:#3b1d0e,stroke:#f59e0b,color:#e6edf3
style EX fill:#3b0e0e,stroke:#ef4444,color:#e6edf3
style FS fill:#1a1a2e,stroke:#30363d,color:#8b949e
style SL fill:#1a1a2e,stroke:#30363d,color:#8b949e
style DB fill:#1a1a2e,stroke:#30363d,color:#8b949e
MCP servers give AI agents access to local files, databases, APIs, and credentials. Tool descriptions can contain hidden instructions that the agent follows but the user never sees. AgentSeal detects these threats across four attack surfaces.
| Command | Description | API key |
|---|---|---|
agentseal guard |
Scan skill files, MCP configs, toxic data flows, and supply chain changes | No |
agentseal shield |
Real-time file monitoring with desktop alerts and auto-quarantine | No |
agentseal scan |
Test system prompts against 191+ adversarial probes | Yes* |
agentseal scan-mcp |
Audit live MCP server tool descriptions for poisoning | No |
*Free with Ollama. Cloud providers require an API key.
Scans all AI agent configurations on your machine. Supports Claude Code, Cursor, Windsurf, VS Code, Gemini CLI, Codex, Cline, Copilot, and others.
agentseal guardSKILLS
[XX] sketchy-rules MALWARE Credential access
Remove this skill immediately and rotate all credentials.
[OK] 4 more safe skills
MCP SERVERS
[XX] filesystem DANGER Access to SSH private keys
Restrict filesystem MCP server: remove .ssh from allowed paths.
TOXIC FLOWS
[HIGH] Data exfiltration path: filesystem + slack
graph LR
IN["Skill Files\nMCP Configs"] --> P["Pattern\nSignatures"]
P --> D["Deobfuscation\n(Unicode Tags,\nBase64, BiDi, ZWC)"]
D --> S["Semantic\nAnalysis\n(MiniLM-L6-v2)"]
S --> B["Baseline\nTracking\n(SHA-256)"]
B --> OUT["Report +\nSeverity"]
style IN fill:#1a1a2e,stroke:#58a6ff,color:#e6edf3
style P fill:#161b22,stroke:#30363d,color:#e6edf3
style D fill:#161b22,stroke:#30363d,color:#e6edf3
style S fill:#161b22,stroke:#30363d,color:#e6edf3
style B fill:#161b22,stroke:#30363d,color:#e6edf3
style OUT fill:#0d4429,stroke:#22c55e,color:#e6edf3
191 attack probes: 82 extraction techniques, 109 injection techniques, 8 adaptive mutation transforms. Deterministic n-gram and canary token scoring. No LLM judge.
OpenAI
agentseal scan --prompt "You are a helpful assistant..." --model gpt-4oOllama (free, local)
agentseal scan --prompt "You are a helpful assistant..." --model ollama/llama3.1:8bHTTP endpoint
agentseal scan --url http://localhost:8080/chatConnects to live MCP servers over stdio or SSE. Enumerates tools, analyzes descriptions through pattern matching, deobfuscation, semantic similarity, and optional LLM classification. Outputs a trust score per server.
agentseal scan-mcp --server npx @modelcontextprotocol/server-filesystem /tmpWatches agent config paths in real time. Desktop notifications on threats. Quarantines files with detected payloads.
pip install agentseal[shield]
agentseal shieldfrom agentseal import AgentValidator
validator = AgentValidator.from_openai(
client=openai.AsyncOpenAI(),
model="gpt-4o",
system_prompt="You are a helpful assistant...",
)
report = await validator.run()
print(f"Trust score: {report.trust_score}/100")Anthropic / HTTP / Custom
# Anthropic
validator = AgentValidator.from_anthropic(
client=client, model="claude-sonnet-4-5-20250929", system_prompt="..."
)
# HTTP endpoint
validator = AgentValidator.from_endpoint(url="http://localhost:8080/chat")
# Custom function
validator = AgentValidator(agent_fn=my_agent, ground_truth_prompt="...")agentseal scan --file ./prompt.txt --model gpt-4o --min-score 75Exit code 1 if trust score is below threshold. SARIF output supported via --output sarif.
| Provider | Flag | API key |
|---|---|---|
| OpenAI | --model gpt-4o |
OPENAI_API_KEY |
| Anthropic | --model claude-sonnet-4-5-20250929 |
ANTHROPIC_API_KEY |
| Ollama | --model ollama/llama3.1:8b |
None |
| LiteLLM | --model any --litellm-url http://... |
Varies |
| HTTP | --url http://your-agent.com/chat |
None |
2,200+ MCP servers scanned for security risks. Trust scores, tool analysis, and finding details for each server.
AgentSeal Pro extends the scanner with MCP tool poisoning probes (+45), RAG poisoning probes (+28), multimodal attack probes (+13), behavioral genome mapping, PDF reports, and a dashboard.
If you find a detection gap or a false positive, please open an issue.