90.1/100 (SAFE) for local-mcp-server on AgentSeal (https://agentseal.org), scanned via live adversarial probing, AI semantic analysis, and cross-tool schema review. 4 tools.
A few things worth flagging:
-
people_profile_search exposes a broad set of employee PII (email, manager_email, department, title, location, team, and more) with pageSize up to 100 and no schema-level scope restriction. Worth confirming access controls are enforced server-side and that bulk enumeration of the people directory is an intentional affordance.
-
company_search and read_documents can reach GitHub, Drive, Confluence, and Jira - datasources that routinely contain credentials, configs, and internal runbooks. If an agent receives a poisoned result that shapes its next search query, it can be steered toward sensitive files. The prompt injection amplification here is meaningful given the breadth of the integrated backends.
-
read_documents accepts a url field as a plain string with no format constraint. If Glean's backend fetches that URL server-side, it could be pointed at internal network targets like cloud metadata endpoints.
-
The chat tool's context array can carry injected instructions from a prior poisoned turn directly into Glean's RAG pipeline - the attack path is: bad search result in turn N, injected context in turn N+1.
Minor: server_capabilities.tools is reported as false despite 4 tools being defined. Likely a manifest generation bug, but some MCP clients rely on this for capability negotiation.
Full report: https://agentseal.org/mcp/gleanwork-local-mcp-server
[](https://agentseal.org/mcp/gleanwork-local-mcp-server)
If anything here looks off, let us know and we'll update the report.
90.1/100 (SAFE) for local-mcp-server on AgentSeal (https://agentseal.org), scanned via live adversarial probing, AI semantic analysis, and cross-tool schema review. 4 tools.
A few things worth flagging:
people_profile_search exposes a broad set of employee PII (email, manager_email, department, title, location, team, and more) with pageSize up to 100 and no schema-level scope restriction. Worth confirming access controls are enforced server-side and that bulk enumeration of the people directory is an intentional affordance.
company_search and read_documents can reach GitHub, Drive, Confluence, and Jira - datasources that routinely contain credentials, configs, and internal runbooks. If an agent receives a poisoned result that shapes its next search query, it can be steered toward sensitive files. The prompt injection amplification here is meaningful given the breadth of the integrated backends.
read_documents accepts a url field as a plain string with no format constraint. If Glean's backend fetches that URL server-side, it could be pointed at internal network targets like cloud metadata endpoints.
The chat tool's context array can carry injected instructions from a prior poisoned turn directly into Glean's RAG pipeline - the attack path is: bad search result in turn N, injected context in turn N+1.
Minor: server_capabilities.tools is reported as false despite 4 tools being defined. Likely a manifest generation bug, but some MCP clients rely on this for capability negotiation.
Full report: https://agentseal.org/mcp/gleanwork-local-mcp-server
If anything here looks off, let us know and we'll update the report.