Shrike Security MCP Server
Protects AI agents from threats like prompt injection, jailbreaks, and SQL injection through a multi-layer scanning pipeline. It also enables PII redaction and rehydration to ensure data privacy during LLM interactions.
README
shrike-mcp
MCP (Model Context Protocol) server for Shrike Security — protect AI agents from prompt injection, jailbreaks, SQL injection, data exfiltration, and malicious file operations.
Installation
npm install -g shrike-mcp
Or use with npx:
npx shrike-mcp
Quick Start
With Claude Desktop
Add to your Claude Desktop configuration (~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"shrike-security": {
"command": "npx",
"args": ["shrike-mcp"],
"env": {
"SHRIKE_API_KEY": "your-api-key-here"
}
}
}
}
Without an API key, scans run on the free tier (regex-only layers L1–L4). With an API key, you get the full 9-layer scan pipeline including LLM semantic analysis.
Environment Variables
| Variable | Description | Default |
|---|---|---|
SHRIKE_API_KEY |
API key for authenticated scans (enables L7/L8 LLM layers) | none (free tier) |
SHRIKE_BACKEND_URL |
URL of the Shrike backend API | https://api.shrikesecurity.com/agent |
MCP_SCAN_TIMEOUT_MS |
Timeout for scan requests (ms) | 15000 |
MCP_RATE_LIMIT_PER_MINUTE |
Max requests per minute per customer | 100 |
MCP_TRANSPORT |
Transport mode: stdio (default) or http |
stdio |
MCP_PORT |
HTTP server port (used when MCP_TRANSPORT=http) |
8000 |
MCP_DEBUG |
Enable debug logging (true/false) |
false |
Available Tools
scan_prompt
Scans user prompts for prompt injection, jailbreak attempts, and malicious content. Supports PII redaction with token-based rehydration.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
content |
string | Yes | The prompt text to scan |
context |
string | No | Conversation history for context-aware scanning |
redact_pii |
boolean | No | When true, PII is redacted before scanning. Response includes tokens for rehydration. |
Example:
const result = await mcp.callTool('scan_prompt', {
content: userInput,
context: conversationHistory,
redact_pii: true,
});
if (result.blocked) {
console.log('Threat detected:', result.threat_type);
} else if (result.pii_redaction) {
// Use redacted content for LLM processing
const safePrompt = result.pii_redaction.redacted_content;
}
scan_response
Scans LLM-generated responses before showing them to users. Detects system prompt leaks, unexpected PII, toxic language, and topic drift. Rehydrates PII tokens when provided.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
response |
string | Yes | The LLM-generated response to scan |
original_prompt |
string | No | The original prompt (enables PII diff and topic mismatch detection) |
pii_tokens |
array | No | PII token map from scan_prompt(redact_pii=true) for rehydration |
Example:
const result = await mcp.callTool('scan_response', {
response: llmOutput,
original_prompt: userInput,
pii_tokens: scanPromptResult.pii_redaction?.tokens,
});
if (result.blocked) {
console.log('Response blocked:', result.threat_type);
} else if (result.rehydrated_response) {
// PII tokens replaced with original values
showToUser(result.rehydrated_response);
}
scan_sql_query
Scans SQL queries for injection attacks and dangerous operations before execution.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
query |
string | Yes | The SQL query to scan |
database |
string | No | Target database name for context |
allowDestructive |
boolean | No | Allow DROP/TRUNCATE for migrations (default: false) |
Example:
const result = await mcp.callTool('scan_sql_query', {
query: sqlQuery,
database: 'postgresql',
});
if (result.blocked) {
throw new Error(`SQL injection detected: ${result.guidance}`);
}
scan_file_write
Validates file paths and content before write operations. Checks for path traversal, secrets in content, and sensitive file access.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
path |
string | Yes | The target file path |
content |
string | Yes | The content to write |
mode |
string | No | Write mode: create, overwrite, or append |
Example:
const result = await mcp.callTool('scan_file_write', {
path: filePath,
content: fileContent,
mode: 'create',
});
if (result.blocked) {
throw new Error(`File write blocked: ${result.guidance}`);
}
scan_web_search
Scans web search queries for PII exposure, data exfiltration patterns, and blocked domains.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
query |
string | Yes | The search query to scan |
targetDomains |
string[] | No | List of target domains to validate |
Example:
const result = await mcp.callTool('scan_web_search', {
query: searchQuery,
targetDomains: ['example.com'],
});
if (result.blocked) {
console.log('Search blocked:', result.guidance);
}
report_bypass
Reports content that bypassed security checks to improve detection via ThreatSense pattern learning.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
prompt |
string | No | The prompt that bypassed detection |
filePath |
string | No | File path for file_write bypasses |
fileContent |
string | No | File content that should have been blocked |
sqlQuery |
string | No | SQL query that bypassed injection detection |
searchQuery |
string | No | Web search query with undetected PII |
mutationType |
string | No | Type of mutation used (e.g., semantic_rewrite, encoding_exploit) |
category |
string | No | Threat category (auto-inferred if not provided) |
notes |
string | No | Additional notes about the bypass |
get_threat_intel
Retrieves current threat intelligence including active detection patterns, threat categories, and statistics.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
category |
string | No | Filter by threat category |
limit |
number | No | Max patterns to return (default: 50) |
Response Format
All scan tools return a sanitized response:
{
"blocked": true,
"threat_type": "prompt_injection",
"severity": "high",
"confidence": "high",
"guidance": "This prompt contains patterns consistent with instruction override attempts.",
"request_id": "req_lxyz123_a8f3k2m9"
}
Safe results return:
{
"blocked": false,
"request_id": "req_lxyz123_a8f3k2m9"
}
Security Model
This MCP server implements a fail-closed security model:
- Network timeouts result in BLOCK (not allow)
- Backend errors result in BLOCK (not allow)
- Unknown content types result in BLOCK (not allow)
This prevents bypass attacks via service disruption.
Known Limitations
- Free tier is regex-only — No LLM semantic analysis without API key
- No offline mode — Requires network access to Shrike backend
- Response Intelligence requires original prompt —
original_promptparam is optional but recommended for full L8 analysis - Rate limits are MCP-side only — Backend has separate per-tier limits
- HTTP transport is stateless — Each request creates a new server instance; no session persistence across requests
License
Apache License 2.0 — See LICENSE for details.
Support
- GitHub Issues: https://github.com/Shrike-Security/shrike-mcp/issues
- Email: support@shrikesecurity.com
Changelog
v1.1.0 (February 12, 2026)
- Dual transport: stdio (default) + HTTP (Streamable HTTP)
- SDK upgrade to
@modelcontextprotocol/sdk@1.26.0 - Published to MCP Registry
- Health check, agent card, and Docker support for cloud deployments
v1.0.0 (February 10, 2026)
- Initial public release
- 7 MCP tools for AI agent security
- 9-layer detection pipeline
- PII isolation with token rehydration
- Response obfuscation for IP protection
Links
- GitHub Repository
- npm Package
- MCP Registry (search "shrike")
- Issue Tracker
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.