Agentinelv0.1.0

MCP security scorecard — OWASP Agentic Top 10 (2026)
target /tmp/fleet-demo-mcp.json  ·  3 servers  ·  5 tools  ·  2026-06-18 17:52 UTC
2
Findings
HIGH
Max severity
0
Critical
2
High
0
Medium

Capability matrix · Rule of Two

Server / toolA untrustedB sensitiveC external
notes-reader / list_files · ·
read_file · ·
slack-notifier / send_message · ·
web-fetcher / fetch_doc · ·
search_docs · · ·

Findings

HIGH

Cross-server lethal trifecta across connected servers

ASI02 fleet

No single server is a full trifecta, but the connected fleet combines all three axes. A (untrusted-input): web-fetcher; B (sensitive-access): notes-reader; C (external-comms): slack-notifier. An agent connected to all of these can be injected through one server and steered to read sensitive data and exfiltrate it through another.

cross-server A+B+C

✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.

ASI02 · Tool Misuse and Exploitation · confidence 70%

HIGH

Secret exposed in server configuration

ASI03 server:slack-notifier

Environment variable 'SLACK_TOKEN' in the config holds a hardcoded Slack token.

SLACK_TOKEN=xoxb***

✓ Load secrets from a secret manager or runtime environment, never commit them to config, and rotate any exposed credential.

ASI03 · Identity and Privilege Abuse · confidence 85%