Agentinel — example reports

Interactive reports from auditing MCP servers against the OWASP Agentic Top 10 (2026). Open-source research.

Walkthrough demos — guided scenarios to learn the threat model

Poisoned server →

A deliberately hostile server: hidden instructions buried in a tool's description (tool poisoning), a lethal trifecta, and an arbitrary-command tool. Six findings — what a compromised server looks like.

Accidental fleet trifecta →

Three ordinary-looking servers scanned together. None is dangerous alone, but combined they complete the lethal trifecta — and one leaks a secret in its config. The risk you can't see one server at a time.

Clean server →

A read-only docs fetcher. It reads untrusted web pages (one leg of the trifecta) but can't reach sensitive data or send anything out — so Agentinel clears it. What a healthy server looks like, and proof it doesn't just cry wolf.

Real MCP servers — the same checks, on servers you'll recognize

GitHub →

Reads issues/PRs (untrusted input) and a private repo, and can create/push/merge — all three legs of the lethal trifecta. Mirrors a real-world exploit.

Notion →

Reads comments and database content (untrusted) and writes pages — a full lethal trifecta.

Kubernetes →

kubectl_generic runs any command — an unsafe code-execution surface — plus a near-trifecta from cluster read/write.

Real-world fleet →

fetch + filesystem + Slack, scanned together. Each is fine alone; combined they span all three trifecta legs — the accidental risk, on servers people actually run.