MCP Sentinel — Security Monitor for Skills & MCP Servers

What it does

MCP Sentinel scans installed Claude Skills and MCP servers for vulnerabilities and malicious behavior by combining static analysis, external threat intelligence, coherence checks, and update diff detection. Version 2 adds a PreToolUse runtime hook that inspects tool calls in real time and can block credential exfiltration, dangerous shell patterns, and known-malicious domains before they execute.

When to use it

Run Sentinel when auditing installed skills/MCPs, before installing a new skill or MCP (pre-install check), after noticing suspicious behavior, or on a regular schedule to detect supply-chain changes. Offer the runtime hook when the user requests live protection or when a suspicious update is detected.

What's included

• Scripts: hook installer/uninstaller (hooks/install_hooks.sh) and a PreToolUse hook (hooks/sentinel_preflight.py) referenced in the skill layout.
• References: bundled IOC lists and threat-db templates referenced under references/.
• Instructions: detailed operational guidance for scans, diff analysis, allowlisting, reporting, and remediation workflows; installer usage and failure-mode notes included.

Compatible agents

Designed for agents with file access, shell execution, and websearch capabilities (e.g., Claude Code, security-focused assistants). The runtime hook requires Python 3 and jq for installer scripts.