Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"agentpay-sentinel": {
"args": [
"/absolute/path/to/agentpay-sentinel-mcp/server.py"
],
"command": "python"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A watchdog MCP that validates every agent payment request against all 9 security checks before it executes — catching policy violations, replay attacks, amount tampering, revoked tokens, and budget overruns at call time.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
### Description The Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using `FastMCP` with streamable HTTP or SSE transport, and has not configured `TransportSecuritySettings`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or ac
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Thank you to Rich Harang for reporting this issue.
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service
If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Thank you to Rich Harang for reporting this issue.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / finance
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
An autonomous agent that conducts deep research on any data using any LLM providers
🌊 The leading agent orchestration platform for Claude. Deploy intelligent multi-agent swarms, coordinate autonomous workflows, and build conversational AI systems. Features enterprise-grade architecture, distributed swarm intelligence, RAG integration, and native Claude Code / Codex Integration
MCP Security Weekly
Get CVE alerts and security updates for io.github.Rumblingb/agentpay-sentinel-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A watchdog MCP that validates every agent payment request against all 9 security checks before it executes — catching policy violations, replay attacks, amount tampering, revoked tokens, and budget overruns at call time.
merchant_id:amount binding, catching forged or tampered tokenscurrent_spend + amount > budget_cap and returns exact remaining budgetRequires: Python 3.10+, mcp package.
pip install mcp
Claude Desktop — add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"agentpay-sentinel": {
"command": "python",
"args": ["/absolute/path/to/agentpay-sentinel-mcp/server.py"]
}
}
}
Cursor — add to .cursor/mcp.json in your project root:
{
"mcpServers": {
"agentpay-sentinel": {
"command": "python",
"args": ["/absolute/path/to/agentpay-sentinel-mcp/server.py"]
}
}
}
| Tool | Description | Key params |
|---|---|---|
sentinel_audit_transaction | Run all 9 security checks; returns PASS/BLOCKED + SHA-256 audit hash | token_hash, merchant_id, amount, current_spend, budget_cap (required) · nonce, token_id, approved_amount (enable checks 7–9) |
sentinel_revoke_token | Permanently revoke a token — all future audits with this token_id will BLOCK | token_id, reason |
sentinel_clear_nonce | Remove a nonce from the replay store (for legitimate refunds/retries only) | nonce |
sentinel_verify_chain | Verify a sequence of audit hashes forms an unbroken chain | audit_hashes, expected_chain_root |
sentinel_threat_model | Simulate any named attack vector; returns severity, defence, and detection | attack_vector, context |
sentinel_audit_transaction| # | Check | What it catches | Param |
|---|---|---|---|
| 1 | Token integrity | SHA-256 hash mismatch — forged tokens | token_hash |
| 2 | Budget enforcement | Spend exceeding cap | current_spend, budget_cap |
| 3 | Merchant allowlist | Payment to unlisted merchant | allowlist |
| 4 | Category restriction | Purchase in blocked category | blocked_categories |
| 5 | Expiry check | Expired token | expires_at |
| 6 | Rate limit | Too many calls per minute | calls_this_minute |
| 7 | Amount mismatch | Agent changed amount after human approved | approved_amount |
| 8 | Replay attack | Same nonce used twice (file-backed store) | nonce |
| 9 | Revocation evasion | Agent using a revoked token | token_id |
Checks 7–9 activate when the corresponding param is passed. State persists to ~/.sentinel/.
sentinel_threat_modeltoken_forgery · budget_overflow · replay_attack · amount_mismatch · revocation_evasion · merchant_spoof · expiry_bypass
sentinel_audit_transaction returns an advisory verdict — it does not intercept network traffic. Your agent is responsible for calling it before executing a payment and halting on BLOCKED. The audit hash returned is a SHA-256 digest of all check results, giving you a tamper-evident record of each pre-flight decision.