{ "report": { "version": "1.0", "server": { "slug": "mcp-roundtable-now-20260516084723-c557b8", "name": "mcp.roundtable.now", "github_url": null, "scan_id": "d2806721-3f35-4773-9edf-f1475eadd2f0" }, "framework": { "id": "eu_ai_act", "name": "EU AI Act", "version": "2024/1689", "last_updated": "2026-04-23", "source_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689" }, "assessment": { "assessed_at": "2026-05-16T08:47:24.212Z", "rules_version": "2026-04-23", "sentinel_version": "0.4.0", "coverage_band": "high", "coverage_ratio": 0.95, "techniques_run": [ "ast-taint", "capability-graph", "entropy", "linguistic-scoring", "schema-inference" ] }, "controls": [ { "control_id": "Art.9", "control_name": "Risk Management System", "control_description": "High-risk AI providers must establish, implement, and maintain a risk management system covering the entire lifecycle, including analysis of reasonably foreseeable misuse and supply-chain risk.", "source_url": "https://artificialintelligenceact.eu/article/9/", "status": "met", "evidence": [], "rationale": "22 assessor rule(s) evaluated this control; no findings observed.", "required_mitigations": [], "assessor_rule_ids": [ "D1", "D2", "D3", "D4", "D5", "D6", "D7", "K9", "K10", "K11", "L1", "L2", "L3", "L5", "L6", "L7", "L8", "L10", "L12", "L13", "Q4", "Q13" ] }, { "control_id": "Art.12", "control_name": "Record-Keeping", "control_description": "High-risk AI systems must automatically record events ('logs') over the system lifetime to ensure traceability of the system's functioning appropriate for the intended purpose.", "source_url": "https://artificialintelligenceact.eu/article/12/", "status": "met", "evidence": [], "rationale": "5 assessor rule(s) evaluated this control; no findings observed.", "required_mitigations": [], "assessor_rule_ids": [ "K1", "K2", "K3", "K20", "E3" ] }, { "control_id": "Art.13", "control_name": "Transparency & Provision of Information to Deployers", "control_description": "High-risk AI systems must be sufficiently transparent to enable deployers to interpret the system's output appropriately, including capabilities, limitations, and the conditions of intended use.", "source_url": "https://artificialintelligenceact.eu/article/13/", "status": "met", "evidence": [], "rationale": "14 assessor rule(s) evaluated this control; no findings observed.", "required_mitigations": [], "assessor_rule_ids": [ "A2", "A4", "A6", "A8", "F2", "F5", "G6", "I1", "I2", "I5", "I16", "K12", "K13", "L15" ] }, { "control_id": "Art.14", "control_name": "Human Oversight", "control_description": "High-risk AI systems must be designed so that they can be effectively overseen by natural persons during use. Covers the ability to fully understand, monitor, and intervene in the system's operation.", "source_url": "https://artificialintelligenceact.eu/article/14/", "status": "met", "evidence": [], "rationale": "13 assessor rule(s) evaluated this control; no findings observed.", "required_mitigations": [], "assessor_rule_ids": [ "K4", "K5", "I12", "M5", "M6", "Q15", "H3", "F1", "F6", "J1", "K14", "K15", "Q10" ] }, { "control_id": "Art.15", "control_name": "Accuracy, Robustness, and Cybersecurity", "control_description": "High-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. Covers resilience against errors, faults, and adversarial manipulation.", "source_url": "https://artificialintelligenceact.eu/article/15/", "status": "unmet", "evidence": [ { "finding_id": "61cd0132-8e30-4ea1-a985-1d1a43f5399e", "rule_id": "B1", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool list-sessions — Tool \"list-sessions\" accepts parameters without structural validation. The AI fills each parameter from user input; nothing in the schema rejects injecti", "confidence": 0.77 }, { "finding_id": "e90514a9-b1cc-45a4-959d-699716fe16c9", "rule_id": "B1", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool get-logs — Tool \"get-logs\" accepts parameters without structural validation. The AI fills each parameter from user input; nothing in the schema rejects injection payload", "confidence": 0.83 }, { "finding_id": "76850308-84ed-49f6-8d14-3a4ecbebf1ce", "rule_id": "B1", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool review-code — Tool \"review-code\" accepts parameters without structural validation. The AI fills each parameter from user input; nothing in the schema rejects injection p", "confidence": 0.77 }, { "finding_id": "f439d476-4431-4205-b05d-ae7b7f90cb7e", "rule_id": "B2", "severity": "high", "evidence_summary": "SOURCE: user-parameter at tool debug-issue — Tool \"debug-issue\" declares 1 parameter(s) whose names advertise direct paths to dangerous sinks. AI clients use parameter names as part of tool-selection ", "confidence": 0.78 }, { "finding_id": "f256d4f1-5c54-4012-b26a-ec36d73f68cb", "rule_id": "B2", "severity": "high", "evidence_summary": "SOURCE: user-parameter at tool review-code — Tool \"review-code\" declares 1 parameter(s) whose names advertise direct paths to dangerous sinks. AI clients use parameter names as part of tool-selection ", "confidence": 0.78 }, { "finding_id": "621fa1be-5268-4cac-be25-faf763efd01e", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool get-logs — Tool \"get-logs\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypass every v", "confidence": 0.75 }, { "finding_id": "c855cf72-2e77-4a86-9139-44b5b135226a", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool check-usage — Tool \"check-usage\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypass e", "confidence": 0.75 }, { "finding_id": "b09dcccf-781f-45cf-a2af-0d62c0d7ced7", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool set-thread-visibility — Tool \"set-thread-visibility\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclare", "confidence": 0.75 }, { "finding_id": "4cc0a000-65b2-4522-91d7-c0f42e9b1e36", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool consult-council — Tool \"consult-council\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that ", "confidence": 0.75 }, { "finding_id": "a323c4e7-47b1-45fe-88fd-056e0a0ef7b8", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool design-architecture — Tool \"design-architecture\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared ke", "confidence": 0.75 }, { "finding_id": "a0625c9d-7bfc-46bb-819f-49b4db98945f", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool review-code — Tool \"review-code\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypass e", "confidence": 0.75 }, { "finding_id": "5af5d271-0d0e-477d-9164-17a9b9550785", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool plan-implementation — Tool \"plan-implementation\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared ke", "confidence": 0.75 }, { "finding_id": "65d3d893-82cb-47aa-9853-74b023d43932", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool debug-issue — Tool \"debug-issue\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypass e", "confidence": 0.75 }, { "finding_id": "568d8a76-1b24-456d-97d7-eb1ec40795f4", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool assess-tradeoffs — Tool \"assess-tradeoffs\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys tha", "confidence": 0.75 }, { "finding_id": "73de9549-1ebf-4fbe-aa3e-ec68b658e2b5", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool get-thread-link — Tool \"get-thread-link\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that ", "confidence": 0.75 }, { "finding_id": "dc823304-2b49-43d9-b208-b5b47e6208f3", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool list-models — Tool \"list-models\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypass e", "confidence": 0.75 }, { "finding_id": "f66e8b7f-a225-4248-9ec8-95c9420df523", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool list-sessions — Tool \"list-sessions\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypa", "confidence": 0.75 }, { "finding_id": "f56ab38a-7c58-4425-b6c3-0d0f82a8357a", "rule_id": "B6", "severity": "medium", "evidence_summary": "SOURCE: user-parameter at tool get-session — Tool \"get-session\" input_schema accepts arbitrary extra keys. The declared properties are validated, but the handler may read undeclared keys that bypass e", "confidence": 0.75 }, { "finding_id": "e1ba7b5d-6c31-49d4-9190-e3c3367bb514", "rule_id": "E1", "severity": "medium", "evidence_summary": "SOURCE: environment at capability:tools — An MCP server that answers tool enumeration without authentication trusts the network. Under modern threat models (CCS 2007 DNS rebinding, open cloud networki", "confidence": 0.75 }, { "finding_id": "e7fa1c3a-4ef5-4e17-8204-1cf7fdf5f3c6", "rule_id": "G1", "severity": "critical", "evidence_summary": "SOURCE: external-content at tool plan-implementation — The capability-graph analyzer attributes the gateway as: \"Filesystem reader — in MCP deployments the reader routinely crosses paths a non-host us", "confidence": 0.75 }, { "finding_id": "89c0635d-2245-49da-b226-267b1c8905d3", "rule_id": "G1", "severity": "critical", "evidence_summary": "SOURCE: external-content at resource roundtable://usage#uri — The capability-graph analyzer attributes the gateway as: \"MCP resource \"usage\" (roundtable://usage) is a spec-declared ingestion surface; ", "confidence": 0.75 }, { "finding_id": "3a3fc489-a2b0-45c2-9366-c6fca3a89c3c", "rule_id": "G1", "severity": "critical", "evidence_summary": "SOURCE: external-content at resource roundtable://models#uri — The capability-graph analyzer attributes the gateway as: \"MCP resource \"models\" (roundtable://models) is a spec-declared ingestion surfac", "confidence": 0.75 }, { "finding_id": "a187f654-9e33-477e-9746-f8be8eed8b54", "rule_id": "G1", "severity": "critical", "evidence_summary": "SOURCE: external-content at resource ui://roundtable/debate-results.html#uri — The capability-graph analyzer attributes the gateway as: \"MCP resource \"Roundtable Widget\" (ui://roundtable/debate-result", "confidence": 0.75 } ], "rationale": "111 assessor rule(s) evaluated this control; 23 finding(s) observed (17 medium, 2 high, 4 critical); at least one finding is at or above the high threshold (status: unmet).", "required_mitigations": [ "Add at least one validation keyword to every string and number parameter. For strings: maxLength, pattern, format, or enum. For numbers: minimum, maximum, or multipleOf. JSON Schema validation runs before the tool handler and is the cheapest first-line defence against injection and DoS.", "Replace dangerous parameter names with semantic, narrow equivalents — \"command\" → \"operation\" with an enum of allowed verbs; \"sql\" → a structured filter object; \"path\" → a constrained \"relative_path\" with pattern and maxLength. Add pattern / enum constraints to every remaining dangerous parameter so the schema itself rejects injection payloads.", "Set additionalProperties: false on every object schema. This rejects any key outside the declared properties, closing the side-channel smuggling path and enforcing the schema's stated contract.", "Require authentication for all MCP server connections. For remote MCP servers adopt OAuth 2.0 per RFC 9700 / the MCP Authorization specification. For stdio-launched servers rely on the parent process's security boundary and DO NOT expose the same server over network transports. Even localhost-bound servers should require auth: DNS rebinding (CCS 2007) makes localhost reachable from any browser tab.", "This tool ingests content from sources an attacker can influence (web pages, emails, messages, files, database rows, issue trackers, MCP resources). The content returned is processed by the agent without a declared trust boundary, creating an indirect prompt injection gateway. Required mitigations: (a) document every untrusted ingestion surface in the server's README, (b) wrap returned content in explicit delimiters ([BEGIN EXTERNAL CONTENT] … [END EXTERNAL CONTENT]) before returning to the agent, (c) strip HTML / markdown / control characters in a sanitiser the agent cannot disable via a tool argument, (d) require a user confirmation on any tool call whose arguments are sourced from a prior ingestion tool's output. References: Rehberger (2024) 'Compromising Claude via MCP web scraping'; Invariant Labs (2025) 'MCP Indirect Injection Attacks'; MITRE ATLAS AML.T0054.001." ], "assessor_rule_ids": [ "A1", "A3", "A5", "A7", "A9", "B1", "B2", "B3", "B4", "B5", "B6", "B7", "C1", "C2", "C3", "C4", "C5", "C6", "C7", "C8", "C9", "C10", "C11", "C12", "C13", "C14", "C15", "C16", "E1", "E2", "E4", "F3", "F4", "F7", "G1", "G2", "G3", "G4", "G5", "G7", "H1", "H2", "I3", "I4", "I6", "I7", "I8", "I9", "I10", "I11", "I13", "I15", "J2", "J3", "J4", "J5", "J6", "J7", "K6", "K7", "K8", "K16", "K17", "K18", "K19", "L4", "L9", "L11", "L14", "M1", "M2", "M4", "M7", "M8", "M9", "N1", "N2", "N3", "N4", "N5", "N6", "N7", "N8", "N9", "N10", "N11", "N12", "N13", "N14", "N15", "O4", "O5", "O6", "O8", "O9", "O10", "P1", "P2", "P3", "P4", "P5", "P6", "P7", "P8", "P9", "P10", "Q3", "Q6", "Q7", "Q10", "Q15" ] } ], "summary": { "total_controls": 5, "met": 4, "unmet": 1, "partial": 0, "not_applicable": 0, "overall_status": "non_compliant" }, "kill_chains": [], "executive_summary": "Assessment of mcp.roundtable.now against EU AI Act: overall status non compliant. Of 5 controls, 4 met, 1 unmet, 0 partial, 0 not applicable. 5 control(s) fell within MCP Sentinel's current assessor coverage; remaining control(s) are documented as not_applicable until Phase 6 expands coverage. Unmet controls have findings at or above the framework's mandatory severity threshold and should be remediated before relying on this server in a regulated deployment. All claims are traceable to individual finding rows via finding_id and to the governing rule via rule_id; the enclosing signed envelope commits MCP Sentinel to the exact bytes of this report." }, "attestation": { "algorithm": "HMAC-SHA256", "signature": "oTmxGLhCRmxRhFHfSJyml51uVZ4IaxA88OOaFNGvRpI=", "key_id": "mcp-sentinel-dev", "signed_at": "2026-05-16T11:06:31.083Z", "signer": "mcp-sentinel/v1", "canonicalization": "RFC8785" } }