Shrike Security
AI agent security scanner — protect LLM-powered apps from prompt injection, SQL injection, data exfiltration, and adversarial attacks via MCP.
shrike-mcp
MCP (Model Context Protocol) server for Shrike Security — protect AI agents from prompt injection, jailbreaks, SQL injection, data exfiltration, and malicious file operations.
Installation
npm install -g shrike-mcp
Or use with npx:
npx shrike-mcp
Quick Start
With Claude Desktop
Add to your Claude Desktop configuration (~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["shrike-mcp"],
"env": {
"SHRIKE_API_KEY": "your-api-key-here"
}
}
}
}
Without an API key, scans run on the free tier (regex-only layers L1–L4). With an API key, you get the full 9-layer scan pipeline including LLM semantic analysis.
Environment Variables
| Variable | Description | Default |
|---|---|---|
SHRIKE_API_KEY | API key for authenticated scans (enables L7/L8 LLM layers) | none (free tier) |
SHRIKE_BACKEND_URL | URL of the Shrike backend API | https://api.shrikesecurity.com/agent |
MCP_SCAN_TIMEOUT_MS | Timeout for scan requests (ms) | 15000 |
MCP_RATE_LIMIT_PER_MINUTE | Max requests per minute per customer | 100 |
MCP_TRANSPORT | Transport mode: stdio (default) or http | stdio |
MCP_PORT | HTTP server port (used when MCP_TRANSPORT=http) | 8000 |
MCP_DEBUG | Enable debug logging (true/false) | false |
Available Tools
scan_prompt
Scans user prompts for prompt injection, jailbreak attempts, and malicious content. Supports PII redaction with token-based rehydration.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
content | string | Yes | The prompt text to scan |
context | string | No | Conversation history for context-aware scanning |
redact_pii | boolean | No | When true, PII is redacted before scanning. Response includes tokens for rehydration. |
Example:
const result = await mcp.callTool('scan_prompt', {
content: userInput,
context: conversationHistory,
redact_pii: true,
});
if (result.blocked) {
console.log('Threat detected:', result.threat_type);
} else if (result.pii_redaction) {
// Use redacted content for LLM processing
const safePrompt = result.pii_redaction.redacted_content;
}
scan_response
Scans LLM-generated responses before showing them to users. Detects system prompt leaks, unexpected PII, toxic language, and topic drift. Rehydrates PII tokens when provided.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
response | string | Yes | The LLM-generated response to scan |
original_prompt | string | No | The original prompt (enables PII diff and topic mismatch detection) |
pii_tokens | array | No | PII token map from scan_prompt(redact_pii=true) for rehydration |
Example:
const result = await mcp.callTool('scan_response', {
response: llmOutput,
original_prompt: userInput,
pii_tokens: scanPromptResult.pii_redaction?.tokens,
});
if (result.blocked) {
console.log('Response blocked:', result.threat_type);
} else if (result.rehydrated_response) {
// PII tokens replaced with original values
showToUser(result.rehydrated_response);
}
scan_sql_query
Scans SQL queries for injection attacks and dangerous operations before execution.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | Yes | The SQL query to scan |
database | string | No | Target database name for context |
allowDestructive | boolean | No | Allow DROP/TRUNCATE for migrations (default: false) |
Example:
const result = await mcp.callTool('scan_sql_query', {
query: sqlQuery,
database: 'postgresql',
});
if (result.blocked) {
throw new Error(`SQL injection detected: ${result.guidance}`);
}
scan_file_write
Validates file paths and content before write operations. Checks for path traversal, secrets in content, and sensitive file access.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | Yes | The target file path |
content | string | Yes | The content to write |
mode | string | No | Write mode: create, overwrite, or append |
Example:
const result = await mcp.callTool('scan_file_write', {
path: filePath,
content: fileContent,
mode: 'create',
});
if (result.blocked) {
throw new Error(`File write blocked: ${result.guidance}`);
}
scan_web_search
Scans web search queries for PII exposure, data exfiltration patterns, and blocked domains.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | Yes | The search query to scan |
targetDomains | string[] | No | List of target domains to validate |
Example:
const result = await mcp.callTool('scan_web_search', {
query: searchQuery,
targetDomains: ['example.com'],
});
if (result.blocked) {
console.log('Search blocked:', result.guidance);
}
report_bypass
Reports content that bypassed security checks to improve detection via ThreatSense pattern learning.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
prompt | string | No | The prompt that bypassed detection |
filePath | string | No | File path for file_write bypasses |
fileContent | string | No | File content that should have been blocked |
sqlQuery | string | No | SQL query that bypassed injection detection |
searchQuery | string | No | Web search query with undetected PII |
mutationType | string | No | Type of mutation used (e.g., semantic_rewrite, encoding_exploit) |
category | string | No | Threat category (auto-inferred if not provided) |
notes | string | No | Additional notes about the bypass |
get_threat_intel
Retrieves current threat intelligence including active detection patterns, threat categories, and statistics.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
category | string | No | Filter by threat category |
limit | number | No | Max patterns to return (default: 50) |
Response Format
All scan tools return a sanitized response:
{
"blocked": true,
"threat_type": "prompt_injection",
"severity": "high",
"confidence": "high",
"guidance": "This prompt contains patterns consistent with instruction override attempts.",
"request_id": "req_lxyz123_a8f3k2m9"
}
Safe results return:
{
"blocked": false,
"request_id": "req_lxyz123_a8f3k2m9"
}
Security Model
This MCP server implements a fail-closed security model:
- Network timeouts result in BLOCK (not allow)
- Backend errors result in BLOCK (not allow)
- Unknown content types result in BLOCK (not allow)
This prevents bypass attacks via service disruption.
Known Limitations
- Free tier is regex-only — No LLM semantic analysis without API key
- No offline mode — Requires network access to Shrike backend
- Response Intelligence requires original prompt —
original_promptparam is optional but recommended for full L8 analysis - Rate limits are MCP-side only — Backend has separate per-tier limits
- HTTP transport is stateless — Each request creates a new server instance; no session persistence across requests
License
Apache License 2.0 — See LICENSE for details.
Support
- GitHub Issues: https://github.com/Shrike-Security/shrike-mcp/issues
- Email: support@shrikesecurity.com
Changelog
v1.1.0 (February 12, 2026)
- Dual transport: stdio (default) + HTTP (Streamable HTTP)
- SDK upgrade to
@modelcontextprotocol/sdk@1.26.0 - Published to MCP Registry
- Health check, agent card, and Docker support for cloud deployments
v1.0.0 (February 10, 2026)
- Initial public release
- 7 MCP tools for AI agent security
- 9-layer detection pipeline
- PII isolation with token rehydration
- Response obfuscation for IP protection
Links
- GitHub Repository
- npm Package
- MCP Registry (search "shrike")
- Issue Tracker
Related Servers
Scout Monitoring MCP
sponsorPut performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
i18next MCP Server
An MCP server for managing translations in i18next projects, allowing AI assistants to interact directly with translation files.
MCP Docs Server
Provides direct access to local documentation files through a context.md file in the project root.
Ref
Up-to-date documentation for your coding agent. Covers 1000s of public repos and sites. Built by ref.tools
BaseMcpServer
A minimal, containerized base for building MCP servers with the Python SDK, featuring a standardized Docker image and local development setup.
MCPilot
A FastAPI-based gateway for the Model Context Protocol (MCP) designed to unify and scale AI toolchains.
AppleScript MCP
Execute AppleScript on macOS
Enrichr MCP Server
Performs gene set enrichment analysis using the Enrichr API, supporting all available gene set libraries.
My MCP Server
A remote MCP server deployable on Cloudflare Workers without authentication.
Jules
Jules async coding agent - run autonomous tasks using Jules
Remote MCP Server (Authless)
A simple, auth-less MCP server on Cloudflare Workers that provides the current time in the US Eastern timezone.