Secure your AI agents. Scan MCP servers and Agent Skills before attackers do.
25 security rules aligned with OWASP Agentic AI Top 10, OWASP Agentic Skills Top 10, and OWASP MCP Top 10. Free and open source. Built on .NET 10 with defence-grade governance.
Signal Sentinel Scanner is a fast, deterministic, offline-capable first-pass authoring aid for MCP operators and skill authors. Pair it with Bandit, Gitleaks, Semgrep, and Sentinel Gateway for defence in depth.
_
Two attack surfaces. One scanner.
Signal Sentinel Scanner performs static and runtime security analysis of both MCP server configurations and Agent Skill packages.
MCP Server Scanning
Scans local config files (Claude Desktop, Cursor, VS Code, Windsurf, Zed) and connects to remote MCP servers (HTTP/SSE, Streamable HTTP, WebSocket) to enumerate tools, resources, and prompts for security vulnerabilities.
Agent Skill Scanning
Scans SKILL.md files (the emerging standard adopted by Claude Code, Codex CLI, Cursor, Windsurf, and 20+ platforms) for prompt injection, credential exposure, data exfiltration, obfuscated payloads, and malicious bundled scripts.
Every finding is mapped to the OWASP Agentic AI Security Top 10 (ASI01-ASI10), the OWASP Agentic Skills Top 10 (AST01-AST10), and the OWASP MCP Top 10 (MCP01-MCP10), producing a scored A-F grade with prioritised remediation guidance.
What's new
Recent releases since v2.1.0
v2.2.0 – Rug-pull detection, SARIF, offline mode (March 2026)
Rug Pull Detection
Compare current scan against a saved baseline; flags schema mutations, additions, and removals as Critical / High / Medium. Protects against post-install tool swaps.
Shadow Tool Injection
Typosquat detection using Levenshtein distance against privileged tools and cross-server duplicates.
Skill Integrity
Detects skills that ship without .sentinel-sig, SHA256SUMS, or cosign.sig signature artefacts.
Excessive Response Size
Flags tool descriptions over 10 KB and JSON schemas nested more than 10 levels deep.
Offline Mode
Zero network-egress guarantee for air-gapped / HMG / defence environments. Refuses --remote and blocks outbound I/O.
SARIF v2.1.0 Output
OASIS-compliant SARIF output compatible with GitHub Code Scanning, Azure DevOps, and IDE extensions.
Sigma Rule Import
Load community Sigma YAML rules. Supports title/id/description/level/tags/logsource/detection subset.
Finding Deduplication
Collapses duplicate findings across sources with OccurrenceCount; rendered as [xN] annotation in reports.
v2.3.0 – Suppressions, triage, non-MCP detection, counter-factual grading (April 2026)
Accepted-Risk Workflow
Accept specific findings with justification, approver, expiry, and per-environment scoping. Retained in every report for audit trail.
Confidence-Aware Triage
Hard filter below a confidence threshold, or demote medium-confidence findings one severity level with --triage.
Scan History & Diff
Attributes grade changes to the rules that caused them. "Your grade dropped from B to D because SS-022 fired."
Per-Environment Baselines
Separate baselines for dev / staging / prod so deltas do not leak between environments.
Non-MCP Endpoint Detection
When --remote targets a non-JSON-RPC endpoint, auto-suppresses all MCP-protocol rules for that target. No more misleading Grade A on a web front door.
YAML Capabilities Authority
The capabilities: block in a skill YAML frontmatter is authoritative for SS-012. Eliminates mechanical false positives.
Lemma-Aware Detection
Extended synonym table covers 30+ terms (disk, volume, mount, /proc, /sys, /dev) for operator-friendly language.
Counter-Factual Grade
"If these N suppressions were removed, your grade would be F (30/100) instead of A (100/100)." Suppressions cannot hide risk.
25 detection rules + 1 informational
16 MCP server rules and 9 Agent Skill rules. Triple OWASP mapping: Agentic AI Top 10 (ASI), Agentic Skills Top 10 (AST), and MCP Top 10.
MCP Server Rules (16)
| Rule | ASI | AST | MCP | Description |
|---|---|---|---|---|
| SS-001 | ASI01 | AST01 | MCP01 | Tool Poisoning Detection |
| SS-002 | ASI02 | AST02 | MCP02 | Overbroad Permissions Detection |
| SS-003 | ASI03 | AST03 | MCP03 | Missing Authentication Detection |
| SS-004 | ASI04 | AST04 | MCP04 | Supply Chain Vulnerability Detection |
| SS-005 | ASI05 | AST05 | MCP05 | Code Execution Capability Detection |
| SS-006 | ASI06 | AST06 | MCP06 | Memory / Context Write Access Detection |
| SS-007 | ASI07 | AST07 | MCP07 | Inter-Agent Communication Detection |
| SS-008 | ASI09 | AST08 | MCP08 | Sensitive Data Access Detection |
| SS-009 | ASI01 | AST09 | MCP09 | Excessive Description Length |
| SS-010 | ASI02 | AST10 | MCP10 | Cross-Server Attack Path Analysis |
| SS-019 | ASI03 | AST03 | MCP03 | Credential Hygiene Check |
| SS-020 | ASI03 | AST03 | MCP03 | OAuth 2.1 Compliance Check |
| SS-021 | ASI04 | AST04 | MCP04 | Package Provenance Check |
| SS-022 | ASI01 | AST01 | MCP01 | Rug Pull / Schema Mutation Detection |
| SS-023 | ASI01 | AST01 | MCP01 | Shadow Tool Injection (typosquat) |
| SS-025 | ASI06 | AST06 | MCP06 | Excessive Tool Response Size |
Agent Skill Rules (9)
| Rule | ASI | AST | Description |
|---|---|---|---|
| SS-011 | ASI01 | AST01, AST04 | Skill Prompt Injection Detection |
| SS-012 | ASI02 | AST03 | Skill Scope Violation Detection |
| SS-013 | ASI03 | AST03 | Skill Credential Access Detection |
| SS-014 | ASI09 | AST01, AST03 | Skill Data Exfiltration Detection |
| SS-015 | ASI01 | AST05 | Skill Obfuscation Detection |
| SS-016 | ASI05 | AST05 | Skill Script Payload Detection |
| SS-017 | ASI02 | AST06 | Skill Excessive Permissions Detection |
| SS-018 | ASI01 | AST01 | Skill Hidden Content Detection |
| SS-024 | ASI04 | AST04 | Skill Integrity Verification |
Informational (1)
| Rule | OWASP | Description |
|---|---|---|
| SS-INFO-001 | ASI10 | Non-MCP Endpoint Detected – emitted when the target returns non-JSON-RPC content. Auto-suppresses all MCP-protocol rules for that target. |
Native SARIF v2.1.0 output
SARIF is the OASIS standard for static analysis results. Signal Sentinel emits SARIF v2.1.0 alongside JSON, Markdown, and HTML, so you can pipe scan results into GitHub Code Scanning, Azure DevOps Advanced Security, Defender for Cloud, JetBrains Qodana, and any other SARIF-compatible tool without a converter.
Air-gapped by design
Pass --offline and Signal Sentinel refuses to make any network call for the duration of the scan. Remote MCP targets are rejected, DNS lookups are disabled, and the runtime blocks outbound I/O. All detection logic runs from the local binary against local files. No telemetry, no callbacks, no model dependency. Suitable for OFFICIAL-SENSITIVE / SECRET environments subject to JSP 440 / 656.
Clear, actionable security grades
Scoring: -25 critical, -10 high, -3 medium, -1 low. Attack paths: -20 critical, -10 high. A single critical vulnerability appropriately dominates the score.
Get started in 60 seconds
Available as a .NET global tool, Docker image, or build from source. Windows, macOS, and Linux.
# Install (requires .NET 10 SDK)
dotnet tool install -g SignalSentinel.Scanner
# Verify
sentinel-scan --version
# Signal Sentinel Scanner v2.3.0
# Update
dotnet tool update -g SignalSentinel.ScannerQuick scan:
Command reference:
| Option | Short | Description |
|---|---|---|
| --config <path> | -c | Path to MCP configuration file |
| --remote <url> | -r | Remote MCP server URL (http/https/ws/wss) |
| --discover | -d | Auto-discover MCP configurations |
| --skills [path] | -s | Scan Agent Skills (auto-discover or specify path) |
| --format <fmt> | -f | Output format: json, markdown, html, sarif |
| --output <path> | -o | Output file path (default: stdout) |
| --ci | CI mode - exit code 1 on critical/high | |
| --offline | Air-gapped mode - zero network egress | |
| --baseline <path> | Baseline file for rug-pull detection | |
| --update-baseline | Save current scan as new baseline | |
| --environment <name> | Environment name for per-env baselines | |
| --suppressions <path> | Suppression file for accepted risks | |
| --min-confidence <n> | Filter findings below confidence threshold | |
| --triage | Demote medium-confidence findings one severity level | |
| --verbose | -v | Enable verbose output |
| --timeout <sec> | -t | Connection timeout (default: 30, max: 300) |
| diff <a> <b> | Compare two scan results and attribute grade changes |
Auto-discovers across your AI tools
MCP Configuration Discovery
Agent Skill Discovery
All MCP transports supported: stdio (local), HTTP/SSE (remote), Streamable HTTP, and WebSocket (ws/wss).
Integrate into your pipeline
In CI mode (--ci flag), the scanner returns exit code 1 when critical or high severity findings are detected. Exit code 0 = clean, 1 = findings detected, 2 = scan failed.
name: MCP Security Scan
on: [push, pull_request]
jobs:
sentinel:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Scan
run: |
docker run --rm -v ${{ github.workspace }}:/src \
ghcr.io/signalcoding/signal-sentinel-scanner:2.3.0 \
--discover --skills /src --ci --format sarif -o /src/sentinel.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sentinel.sarifPurpose-built for MCP and Agent Skills
| Feature | Signal Sentinel | Invariant MCP Scan | Pillar MCP Audit |
|---|---|---|---|
| MCP Server Scanning | 16 rules | 5 rules | 3 rules |
| Agent Skill Scanning | 9 rules | None | None |
| OWASP ASI Mapping | Full (ASI01-ASI10) | Partial | None |
| OWASP AST Mapping | Full (AST01-AST10) | None | None |
| OWASP MCP Mapping | Full (MCP01-MCP10) | None | None |
| SARIF Output | v2.1.0 | No | No |
| Offline / Air-gapped | Yes | No | No |
| Suppression Workflow | Yes | No | No |
| Rug-Pull Detection | Yes | No | No |
| Attack Path Analysis | Yes | No | No |
| Bundled Script Analysis | .py, .sh, .ps1, .js, .ts | No | No |
| Auto-Discovery (MCP) | 5 platforms | 2 platforms | 1 platform |
| Auto-Discovery (Skills) | 5 platforms | None | None |
| WebSocket Transport | Yes | No | No |
| Open Source | Apache 2.0 | Partial | No |
| Docker (Multi-arch) | Yes | Single arch | None |
Technical details
| Version | 2.3.0 |
| Runtime | .NET 10 LTS |
| Language | C# 14 |
| Security Rules | 25 detection + 1 informational (16 MCP + 9 Skill + 1 Info) |
| OWASP Frameworks | Agentic AI Top 10 + Agentic Skills Top 10 + MCP Top 10 |
| Transports | stdio, HTTP/SSE, Streamable HTTP, WebSocket |
| Licence | Apache 2.0 |
| Unit Tests | 254 (all passing) |
| Typical scan time | 1-5 seconds |
| Platforms | Windows, macOS, Linux |
| Distribution | .NET Tool (NuGet), Docker (GHCR), Source |
| Docker image | Alpine Linux, ~50MB, non-root, amd64/arm64 |
| Output formats | JSON, Markdown, HTML, SARIF v2.1.0 |
| Build quality | 0 warnings (warnings-as-errors enabled) |
| Published | 18 April 2026 |
Frequently asked questions
What is MCP?
The Model Context Protocol is an open standard created by Anthropic for connecting AI assistants to external tools and data sources. Adopted by OpenAI, Google, Microsoft, and the broader AI ecosystem.
What are Agent Skills?
Agent Skills are SKILL.md files that define reusable instructions, capabilities, and bundled scripts for AI coding assistants. Adopted by Claude Code, Codex CLI, Cursor, Windsurf, and 20+ platforms. They are a growing attack surface for prompt injection and supply chain attacks.
Why scan Agent Skills?
Community skill marketplaces host thousands of skills, and documented large-scale supply chain attacks have already been observed. A malicious skill can inject prompts, exfiltrate data, execute arbitrary code, and persist across sessions - all while appearing benign.
What is SARIF?
SARIF (Static Analysis Results Interchange Format) is an OASIS standard for expressing static analysis results. Signal Sentinel emits SARIF v2.1.0 so you can upload results directly to GitHub Code Scanning, Azure DevOps, Defender for Cloud, or any SARIF-compatible tool.
Can it run in air-gapped environments?
Yes. Pass --offline and the scanner refuses all network calls, DNS lookups, and outbound I/O. All detection runs from the local binary against local files. No telemetry, no callbacks, no model dependency.
What is the suppression workflow?
Create a .sentinel-suppressions.json file to accept specific findings with a justification, approver, expiry date, and per-environment scoping. Suppressed findings are retained in every report for audit trail. Counter-factual grading shows what your grade would be without suppressions.
Is Signal Sentinel free?
Yes. Free and open-source under Apache 2.0. No telemetry, no data collection, no registration required.
Does it send data anywhere?
No. Signal Sentinel runs entirely locally. The only network connections are to MCP servers you explicitly ask it to scan (disabled in --offline mode).
What transports are supported?
All four MCP transports: stdio (local processes), HTTP/SSE, Streamable HTTP, and WebSocket (ws/wss).
Can I use it in CI/CD?
Yes. Use --ci flag for exit code 1 on critical/high findings, and --format sarif for GitHub Code Scanning upload. Works with GitHub Actions, Azure DevOps, GitLab CI, Jenkins, and any CI system that runs .NET or Docker. Pre-commit hooks available for pre-commit.com, lefthook, and husky.
What .NET version is required?
.NET 10 SDK or later for the .NET global tool. Docker requires no .NET installation.
How do I report a security issue?
Email [email protected]. Do not open a public GitHub issue for security vulnerabilities.
What comes next?
Signal Sentinel Gateway (real-time MCP firewall) and Signal Sentinel Classify (document classification MCP server) are in development. See our product roadmap for details.
Secure your AI agent integrations today
25 security rules. Triple OWASP mapping. SARIF, offline mode, suppressions, triage, and counter-factual grading. Free, open source, and runs in seconds.
Last updated: May 2026