Interactive reports from auditing MCP servers against the OWASP Agentic Top 10 (2026). Open-source research.
A deliberately hostile server: hidden instructions buried in a tool's description (tool poisoning), a lethal trifecta, and an arbitrary-command tool. Six findings — what a compromised server looks like.
Three ordinary-looking servers scanned together. None is dangerous alone, but combined they complete the lethal trifecta — and one leaks a secret in its config. The risk you can't see one server at a time.
A read-only docs fetcher. It reads untrusted web pages (one leg of the trifecta) but can't reach sensitive data or send anything out — so Agentinel clears it. What a healthy server looks like, and proof it doesn't just cry wolf.
Reads issues/PRs (untrusted input) and a private repo, and can create/push/merge — all three legs of the lethal trifecta. Mirrors a real-world exploit.
Reads comments and database content (untrusted) and writes pages — a full lethal trifecta.
kubectl_generic runs any command — an unsafe code-execution surface — plus a near-trifecta from cluster read/write.
fetch + filesystem + Slack, scanned together. Each is fine alone; combined they span all three trifecta legs — the accidental risk, on servers people actually run.