shrike-mcp
MCP (Model Context Protocol) server for Shrike Security — protect AI agents from prompt injection, jailbreaks, SQL injection, data exfiltration, and malicious file operations.
Installation
npm install -g shrike-mcp
Or use with npx:
npx shrike-mcp
Quick Start
With Claude Desktop
Add to your Claude Desktop configuration (~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["shrike-mcp"],
"env": {
"SHRIKE_API_KEY": "your-api-key-here"
}
}
}
}
Without an API key, scans run on the free tier (regex-only layers L1–L4). With an API key, you get the full 9-layer scan pipeline including LLM semantic analysis.
Environment Variables
| Variable | Description | Default |
|---|---|---|
SHRIKE_API_KEY | API key for authenticated scans (enables L7/L8 LLM layers) | none (free tier) |
SHRIKE_BACKEND_URL | URL of the Shrike backend API | https://api.shrikesecurity.com/agent |
MCP_SCAN_TIMEOUT_MS | Timeout for scan requests (ms) | 15000 |
MCP_RATE_LIMIT_PER_MINUTE | Max requests per minute per customer | 100 |
MCP_DEBUG | Enable debug logging (true/false) | false |
Available Tools
scan_prompt
Scans user prompts for prompt injection, jailbreak attempts, and malicious content. Supports PII redaction with token-based rehydration.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
content | string | Yes | The prompt text to scan |
context | string | No | Conversation history for context-aware scanning |
redact_pii | boolean | No | When true, PII is redacted before scanning. Response includes tokens for rehydration. |
Example:
const result = await mcp.callTool('scan_prompt', {
content: userInput,
context: conversationHistory,
redact_pii: true,
});
if (result.blocked) {
console.log('Threat detected:', result.threat_type);
} else if (result.pii_redaction) {
// Use redacted content for LLM processing
const safePrompt = result.pii_redaction.redacted_content;
}
scan_response
Scans LLM-generated responses before showing them to users. Detects system prompt leaks, unexpected PII, toxic language, and topic drift. Rehydrates PII tokens when provided.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
response | string | Yes | The LLM-generated response to scan |
original_prompt | string | No | The original prompt (enables PII diff and topic mismatch detection) |
pii_tokens | array | No | PII token map from scan_prompt(redact_pii=true) for rehydration |
Example:
const result = await mcp.callTool('scan_response', {
response: llmOutput,
original_prompt: userInput,
pii_tokens: scanPromptResult.pii_redaction?.tokens,
});
if (result.blocked) {
console.log('Response blocked:', result.threat_type);
} else if (result.rehydrated_response) {
// PII tokens replaced with original values
showToUser(result.rehydrated_response);
}
scan_sql_query
Scans SQL queries for injection attacks and dangerous operations before execution.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | Yes | The SQL query to scan |
database | string | No | Target database name for context |
allowDestructive | boolean | No | Allow DROP/TRUNCATE for migrations (default: false) |
Example:
const result = await mcp.callTool('scan_sql_query', {
query: sqlQuery,
database: 'postgresql',
});
if (result.blocked) {
throw new Error(`SQL injection detected: ${result.guidance}`);
}
scan_file_write
Validates file paths and content before write operations. Checks for path traversal, secrets in content, and sensitive file access.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | Yes | The target file path |
content | string | Yes | The content to write |
mode | string | No | Write mode: create, overwrite, or append |
Example:
const result = await mcp.callTool('scan_file_write', {
path: filePath,
content: fileContent,
mode: 'create',
});
if (result.blocked) {
throw new Error(`File write blocked: ${result.guidance}`);
}
scan_web_search
Scans web search queries for PII exposure, data exfiltration patterns, and blocked domains.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | Yes | The search query to scan |
targetDomains | string[] | No | List of target domains to validate |
Example:
const result = await mcp.callTool('scan_web_search', {
query: searchQuery,
targetDomains: ['example.com'],
});
if (result.blocked) {
console.log('Search blocked:', result.guidance);
}
report_bypass
Reports content that bypassed security checks to improve detection via ThreatSense pattern learning.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
prompt | string | No | The prompt that bypassed detection |
filePath | string | No | File path for file_write bypasses |
fileContent | string | No | File content that should have been blocked |
sqlQuery | string | No | SQL query that bypassed injection detection |
searchQuery | string | No | Web search query with undetected PII |
mutationType | string | No | Type of mutation used (e.g., semantic_rewrite, encoding_exploit) |
category | string | No | Threat category (auto-inferred if not provided) |
notes | string | No | Additional notes about the bypass |
get_threat_intel
Retrieves current threat intelligence including active detection patterns, threat categories, and statistics.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
category | string | No | Filter by threat category |
limit | number | No | Max patterns to return (default: 50) |
Response Format
All scan tools return a sanitized response:
{
"blocked": true,
"threat_type": "prompt_injection",
"severity": "high",
"confidence": "high",
"guidance": "This prompt contains patterns consistent with instruction override attempts.",
"request_id": "req_lxyz123_a8f3k2m9"
}
Safe results return:
{
"blocked": false,
"request_id": "req_lxyz123_a8f3k2m9"
}
Security Model
This MCP server implements a fail-closed security model:
- Network timeouts result in BLOCK (not allow)
- Backend errors result in BLOCK (not allow)
- Unknown content types result in BLOCK (not allow)
This prevents bypass attacks via service disruption.
Known Limitations
- Free tier is regex-only — No LLM semantic analysis without API key
- No offline mode — Requires network access to Shrike backend
- Response Intelligence requires original prompt —
original_promptparam is optional but recommended for full L8 analysis - Rate limits are MCP-side only — Backend has separate per-tier limits
- stdio transport only — No HTTP server mode; requires MCP-compatible host
Self-Hosting
To run your own Shrike backend:
git clone https://github.com/shrike-security/shrike-security-agent.git
cd shrike-security-agent/backend
go run ./cmd/refactored-agent
Then point the MCP server to your local backend:
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["shrike-mcp"],
"env": {
"SHRIKE_BACKEND_URL": "http://localhost:8080"
}
}
}
}
License
Apache License 2.0 — See LICENSE for details.
Support
- GitHub Issues: https://github.com/Shrike-Security/shrike-mcp/issues
- Email: support@shrikesecurity.com
Changelog
v1.0.0 (February 10, 2026)
- Initial public release
- 7 MCP tools for AI agent security
- 9-layer detection pipeline
- PII isolation with token rehydration
- Response obfuscation for IP protection