| Version | Supported |
|---|---|
| 0.2.x | Yes |
| 0.1.x | No |
If you discover a security vulnerability in MCP Sentinel, please report it responsibly.
Do not open a public issue.
Send an email to security@aguarascan.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge your report within 48 hours and aim to provide a fix within 7 days for critical issues.
MCP Sentinel is a read-only scanning tool. It connects to MCP servers, queries their tool list, and analyzes the results. It does not:
- Execute any tools on the target server
- Send data to external services
- Store scan results (unless
--markdownor--sarifis used to write a local file) - Require or collect authentication credentials
When aguara is installed, MCP Sentinel writes tool descriptions to temporary files for analysis. These files are automatically cleaned up after scanning.
We minimize dependencies and audit them regularly:
@modelcontextprotocol/sdk— Official MCP SDK from Anthropicchalk— Terminal color output (no network, no filesystem)yaml— YAML parser for policy files (no network, no filesystem)
All dependencies are pinned via package-lock.json and checked with npm audit.