Agentinelv0.1.0

MCP security scorecard — OWASP Agentic Top 10 (2026)
target real-world fleet (fetch + filesystem + Slack)  ·  3 servers  ·  18 tools  ·  from published tool specs
3
Findings
HIGH
Max severity
0
Critical
1
High
0
Medium

Capability matrix · Rule of Two

Server / toolA untrustedB sensitiveC external
fetch / fetch · ·
filesystem / create_directory · ·
directory_tree · · ·
edit_file · ·
get_file_info · ·
list_directory · ·
move_file · ·
read_media_file · ·
read_multiple_files · ·
read_text_file · ·
search_files · ·
write_file ·
slack / slack_get_channel_history · ·
slack_get_thread_replies · ·
slack_get_users · · ·
slack_list_channels · · ·
slack_post_message · ·
slack_reply_to_thread · · ·

Findings

HIGH

Cross-server lethal trifecta across connected servers

ASI02 fleet

No single server is a full trifecta, but the connected fleet combines all three axes. A (untrusted-input): fetch, slack; B (sensitive-access): filesystem; C (external-comms): filesystem, slack. An agent connected to all of these can be injected through one server and steered to read sensitive data and exfiltrate it through another.

cross-server A+B+C

✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.

ASI02 · Tool Misuse and Exploitation · confidence 70%

INFO

Two of three lethal-trifecta axes present

ASI02 server:filesystem

This server's toolset already holds two trifecta axes (B:sensitive-access, C:external-comms). Adding a tool with the third axis — or connecting it alongside another server that provides it — would complete the lethal trifecta.

axes present: B:sensitive-access, C:external-comms

✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.

ASI02 · Tool Misuse and Exploitation · confidence 60%

INFO

Two of three lethal-trifecta axes present

ASI02 server:slack

This server's toolset already holds two trifecta axes (A:untrusted-input, C:external-comms). Adding a tool with the third axis — or connecting it alongside another server that provides it — would complete the lethal trifecta.

axes present: A:untrusted-input, C:external-comms

✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.

ASI02 · Tool Misuse and Exploitation · confidence 60%