classifinder-mcp
Enables AI agents to scan text for leaked secrets and prompt injection markers, and redact them before reaching an LLM.
README
ClassiFinder MCP Server
An MCP server that gives AI agents the ability to scan text for leaked secrets and redact them before they reach an LLM.
Installation
pip install classifinder-mcp
Setup
Get a free API key at classifinder.ai, then add to your agent config:
Claude Code
{
"mcpServers": {
"classifinder": {
"command": "classifinder-mcp",
"env": {
"CLASSIFINDER_API_KEY": "ss_live_your_key_here"
}
}
}
}
Cursor
Add to .cursor/mcp.json in your project:
{
"mcpServers": {
"classifinder": {
"command": "classifinder-mcp",
"env": {
"CLASSIFINDER_API_KEY": "ss_live_your_key_here"
}
}
}
}
Tools
classifinder_scan
Scan text for leaked secrets and credentials. Returns findings with type, severity, confidence, and remediation guidance.
Agent: "Check this config for secrets"
→ classifinder_scan(text="AWS_ACCESS_KEY_ID=AKIAJGKJHSKLDJFH3284")
→ Found 1 secret: aws_access_key (critical, confidence 0.95)
classifinder_redact
Replace all detected secrets with safe placeholders. Returns clean text safe to forward to any LLM.
Agent: "Clean this before sending to the model"
→ classifinder_redact(text="key=sk_live_EXAMPLE_KEY_HERE")
→ "key=[STRIPE_LIVE_SECRET_KEY_REDACTED]"
What It Detects
179 detection patterns:
- 165 secret types across 10 categories: cloud/infra keys (AWS, GCP, Azure, Vercel including the 2024+ prefixed taxonomy vcp_/vci_/vca_/vcr_/vck_, Fly.io, Doppler, HashiCorp Vault, Cloudflare, Dropbox, JFrog/Artifactory and more); payment (Stripe, PayPal, Shopify with 4 token types, credit cards Luhn-validated, Square); VCS (GitHub, GitLab with 10 token types covering deploy/feed/runner/SCIM/k8s-agent/OAuth/feature-flag, Bitbucket); comms/SaaS (Slack including config/session/legacy variants, Twilio, SendGrid, Mailgun, Datadog, Sentry, PagerDuty, Notion, Linear and more); database connection strings (PostgreSQL/MySQL/MongoDB/Redis/Supabase); generic SSH/PEM private keys and JWTs; AI/LLM provider keys (OpenAI, Anthropic user + admin, Cohere, xAI, Mistral, DeepSeek, HuggingFace user + organization, Replicate, Groq, ElevenLabs, AssemblyAI, Deepgram, LangFuse, AWS Bedrock long + short-lived, Vercel AI Gateway, Weights & Biases); DevOps/CI-CD/observability (Databricks, Dynatrace, LaunchDarkly, Harness, Octopus Deploy, Fastly, Gitea, TravisCI, Prefect, Infracost, Sumo Logic, Snyk, Sonar, Sourcegraph); data/analytics (ClickHouse, PlanetScale, PostHog, Postman, Algolia, Contentful); and enterprise identity (Atlassian, 1Password, HubSpot, Mapbox, MaxMind, Zendesk).
- 14 prompt-injection markers for LLM input scanning — 4 phase-1 high-precision (chat-template role-hijack tokens like
<|im_start|>and[INST], tool-call tag injection, known jailbreak personas like DAN/AIM, Unicode bidirectional override / Trojan Source) + 6 phase-2 medium-precision (zero-width Unicode smuggling, fake "Assistant:" turns, system-prompt extraction, instruction override like "ignore previous instructions", persona override (context-gated), encoded-payload markers) + 4 phase-3 SAFE-MCP-derived markers cross-referenced to the SAFE-MCP technique catalog. Catches 20.6% of in-the-wild jailbreaks (validated against theverazuo/jailbreak_llmscorpus). Severity caps athigh— these are attack markers, not credentials.
One scan returns both secret findings and injection markers — no second vendor, no separate pipeline.
Hardening — Sandbox Profiles
The MCP server is intentionally minimal: ~180 lines, two read-only tools, a single egress destination (api.classifinder.ai:443), and the API key as the only secret in scope. That makes it cheap to run under a sandbox. Three documented profiles:
Docker
docker run --rm -i \
--read-only \
--tmpfs /tmp \
-v ~/.classifinder:/root/.classifinder \
-e CLASSIFINDER_API_KEY \
python:3.12-slim sh -c "pip install -q classifinder-mcp && classifinder-mcp"
--read-only— container filesystem is read-only--tmpfs /tmp— writable scratch space for pip / Python-v ~/.classifinder:/root/.classifinder— only persistent mount, used for the audit log-e CLASSIFINDER_API_KEY— key passed via env, never written to disk-i— keeps stdin attached (MCP transport is stdio)
For a faster invocation in production, build a thin image with classifinder-mcp pre-installed.
Firejail (Linux)
firejail \
--noroot \
--caps.drop=all \
--seccomp \
--private-tmp \
--whitelist=~/.classifinder \
--read-only=~ \
--read-write=~/.classifinder \
classifinder-mcp
- Drops all capabilities + applies a default seccomp filter
- Filesystem: home is read-only, only
~/.classifinder/writable - Process runs without root privilege escalation
- Network egress remains open (required for
api.classifinder.ai) — pair with host-level egress filtering (ufw,iptables, ornftables) if you want network restriction
Bubblewrap (Linux)
bwrap \
--ro-bind / / \
--bind ~/.classifinder ~/.classifinder \
--proc /proc --dev /dev --tmpfs /tmp \
--unshare-pid --unshare-uts --new-session --die-with-parent \
--setenv CLASSIFINDER_API_KEY "$CLASSIFINDER_API_KEY" \
classifinder-mcp
- Read-only bind mount of
/; writable bind only for~/.classifinder/ - Fresh PID + UTS namespaces; new session
--die-with-parentensures the sandbox tears down if the host process exits- API key passed via setenv, no file mount needed
Verification
These profiles are documented starting points. None are exercised in this repo's CI — they're correctness-by-construction (read-only bind mounts, dropped caps, single-purpose tmpfs) rather than test-validated. If you run a sandbox in production and want me to roll a verified profile into a future release, open an issue with the exact invocation you're using.
Audit Log
The MCP server appends one JSONL line per tool call to a local audit file. Metadata only — the audit log never contains your input text or any detected secret values.
Default path: ~/.classifinder/mcp-audit.log
Fields per line:
{
"timestamp": "2026-05-22T15:30:42.123456Z",
"tool": "classifinder_scan",
"input_byte_count": 142,
"finding_count": 1,
"latency_ms": 87.4
}
Configuration (env vars):
| Variable | Default | Purpose |
|---|---|---|
CLASSIFINDER_MCP_AUDIT |
1 (on) |
Set to 0 to disable logging entirely |
CLASSIFINDER_MCP_AUDIT_PATH |
~/.classifinder/mcp-audit.log |
Override the log path |
The audit log is observability for your own use — useful for compliance (proving the MCP server ran), debugging (correlating latency spikes), and forensic review (which tool ran when). Write failures are silent; the tool call always succeeds even if the audit cannot be written.
Verifying a Release
Every published release is signed twice:
- PyPI attestations (PEP 740) — minted by PyPI from this repo's OIDC identity during publish. Verified automatically by
pipwhen installing from PyPI; you don't need to do anything. - Sigstore bundles — published as GitHub Release assets (
*.sigstore.jsonnext to the sdist + wheel). Verify withsigstore-python:
pip install sigstore
gh release download v0.1.4 --repo ClassiFinder/classifinder-mcp \
--pattern '*.whl' --pattern '*.sigstore.json'
sigstore verify identity \
--bundle classifinder_mcp-0.1.4-py3-none-any.whl.sigstore.json \
--cert-identity 'https://github.com/ClassiFinder/classifinder-mcp/.github/workflows/release.yml@refs/tags/v0.1.4' \
--cert-oidc-issuer 'https://token.actions.githubusercontent.com' \
classifinder_mcp-0.1.4-py3-none-any.whl
The signing identity binds the artifact to this repo's release.yml workflow at a specific tag — an attacker can't forge a valid bundle without compromising GitHub's OIDC token issuance.
See Also
For CLI scanning instead of MCP, see cfsniff — a command-line tool that scans files, shell history, and configs for secrets (pipx install cfsniff).
Disclaimer
ClassiFinder is a detection aid, not a guarantee. No scanner catches 100% of secrets in 100% of formats. See our Terms of Service for full details.
License
MIT
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.