Docs · MCP Registry · Dashboard · Blog
pip install agentseal agentseal guardScans your machine for dangerous skill files, MCP server configs, and toxic data flows across 17+ AI agents. No API key required.
graph TD U["User"] -->|prompt| A["AI Agent (LLM)"] A -->|tool call| M1["MCP Server\n(filesystem)"] A -->|tool call| M2["MCP Server\n(slack)"] A -->|tool call| M3["MCP Server\n(database)"] M1 -->|reads| FS["~/.ssh/\n~/.aws/\n~/Documents/"] M2 -->|reads| SL["Messages\nChannels"] M3 -->|queries| DB["Tables\nCredentials"] SL -.->|"toxic flow"| M1 M1 -.->|"exfiltration"| EX["Attacker"] style U fill:#1a1a2e,stroke:#58a6ff,color:#e6edf3 style A fill:#1a1a2e,stroke:#58a6ff,color:#e6edf3 style M1 fill:#3b1d0e,stroke:#f59e0b,color:#e6edf3 style M2 fill:#3b1d0e,stroke:#f59e0b,color:#e6edf3 style M3 fill:#3b1d0e,stroke:#f59e0b,color:#e6edf3 style EX fill:#3b0e0e,stroke:#ef4444,color:#e6edf3 style FS fill:#1a1a2e,stroke:#30363d,color:#8b949e style SL fill:#1a1a2e,stroke:#30363d,color:#8b949e style DB fill:#1a1a2e,stroke:#30363d,color:#8b949e MCP servers give AI agents access to local files, databases, APIs, and credentials. Tool descriptions can contain hidden instructions that the agent follows but the user never sees. AgentSeal detects these threats across four attack surfaces.
| Command | Description | API key |
|---|---|---|
agentseal guard | Scan skill files, MCP configs, toxic data flows, and supply chain changes | No |
agentseal shield | Real-time file monitoring with desktop alerts and auto-quarantine | No |
agentseal scan | Test system prompts against 191+ adversarial probes | Yes* |
agentseal scan-mcp | Audit live MCP server tool descriptions for poisoning | No |
*Free with Ollama. Cloud providers require an API key.
Scans all AI agent configurations on your machine. Supports Claude Code, Cursor, Windsurf, VS Code, Gemini CLI, Codex, Cline, Copilot, and others.
agentseal guardSKILLS [XX] sketchy-rules MALWARE Credential access Remove this skill immediately and rotate all credentials. [OK] 4 more safe skills MCP SERVERS [XX] filesystem DANGER Access to SSH private keys Restrict filesystem MCP server: remove .ssh from allowed paths. TOXIC FLOWS [HIGH] Data exfiltration path: filesystem + slack graph LR IN["Skill Files\nMCP Configs"] --> P["Pattern\nSignatures"] P --> D["Deobfuscation\n(Unicode Tags,\nBase64, BiDi, ZWC)"] D --> S["Semantic\nAnalysis\n(MiniLM-L6-v2)"] S --> B["Baseline\nTracking\n(SHA-256)"] B --> OUT["Report +\nSeverity"] style IN fill:#1a1a2e,stroke:#58a6ff,color:#e6edf3 style P fill:#161b22,stroke:#30363d,color:#e6edf3 style D fill:#161b22,stroke:#30363d,color:#e6edf3 style S fill:#161b22,stroke:#30363d,color:#e6edf3 style B fill:#161b22,stroke:#30363d,color:#e6edf3 style OUT fill:#0d4429,stroke:#22c55e,color:#e6edf3 191 attack probes: 82 extraction techniques, 109 injection techniques, 8 adaptive mutation transforms. Deterministic n-gram and canary token scoring. No LLM judge.
OpenAI
agentseal scan --prompt "You are a helpful assistant..." --model gpt-4oOllama (free, local)
agentseal scan --prompt "You are a helpful assistant..." --model ollama/llama3.1:8bHTTP endpoint
agentseal scan --url http://localhost:8080/chatConnects to live MCP servers over stdio or SSE. Enumerates tools, analyzes descriptions through pattern matching, deobfuscation, semantic similarity, and optional LLM classification. Outputs a trust score per server.
agentseal scan-mcp --server npx @modelcontextprotocol/server-filesystem /tmpWatches agent config paths in real time. Desktop notifications on threats. Quarantines files with detected payloads.
pip install agentseal[shield] agentseal shieldfrom agentseal import AgentValidator validator = AgentValidator.from_openai( client=openai.AsyncOpenAI(), model="gpt-4o", system_prompt="You are a helpful assistant...", ) report = await validator.run() print(f"Trust score: {report.trust_score}/100")Anthropic / HTTP / Custom
# Anthropic validator = AgentValidator.from_anthropic( client=client, model="claude-sonnet-4-5-20250929", system_prompt="..." ) # HTTP endpoint validator = AgentValidator.from_endpoint(url="http://localhost:8080/chat") # Custom function validator = AgentValidator(agent_fn=my_agent, ground_truth_prompt="...")agentseal scan --file ./prompt.txt --model gpt-4o --min-score 75Exit code 1 if trust score is below threshold. SARIF output supported via --output sarif.
| Provider | Flag | API key |
|---|---|---|
| OpenAI | --model gpt-4o | OPENAI_API_KEY |
| Anthropic | --model claude-sonnet-4-5-20250929 | ANTHROPIC_API_KEY |
| MiniMax | --model MiniMax-M2.7 | MINIMAX_API_KEY |
| Ollama | --model ollama/llama3.1:8b | None |
| LiteLLM | --model any --litellm-url http://... | Varies |
| HTTP | --url http://your-agent.com/chat | None |
2,200+ MCP servers scanned for security risks. Trust scores, tool analysis, and finding details for each server.
AgentSeal Pro extends the scanner with MCP tool poisoning probes (+45), RAG poisoning probes (+28), multimodal attack probes (+13), behavioral genome mapping, PDF reports, and a dashboard.
If you find a detection gap or a false positive, please open an issue.
