Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (0-59). Critical exposures cap the grade regardless of numeric score.
| Section | Score | Grade | Detail |
|---|---|---|---|
| Config Posture | F | 82/170 points | |
| Deployment Verification | F | 6/12 applicable checks passed | |
| Detection Coverage | A | 23/23 scenarios detected | |
| MCP Protection | A | no MCP servers configured |
| Scenario | Category | Result | Detail |
|---|---|---|---|
| AWS access key in URL path | DLP Exfiltration | DETECTED | core_dlp |
| Base64-encoded GitHub token | DLP Exfiltration | DETECTED | dlp |
| Hex-encoded Slack token | DLP Exfiltration | DETECTED | dlp |
| Anthropic API key in text body | DLP Exfiltration | DETECTED | 2 matches |
| OpenAI API key in URL | DLP Exfiltration | DETECTED | dlp |
| Private key (WIF format) in URL | DLP Exfiltration | DETECTED | dlp |
| Classic instruction override | Prompt Injection | DETECTED | Prompt Injection, System Prompt Disclosure |
| Leetspeak evasion | Prompt Injection | DETECTED | System Prompt Disclosure |
| Base64-wrapped injection | Prompt Injection | DETECTED | Prompt Injection |
| Credential solicitation | Prompt Injection | DETECTED | Credential Solicitation |
| Memory persistence directive | Prompt Injection | DETECTED | Memory Persistence Directive |
| Role override (DAN jailbreak) | Prompt Injection | DETECTED | Role Override |
| IMPORTANT tag in description | Tool Poisoning | DETECTED | 1 matches |
| Exfiltration in schema default | Tool Poisoning | DETECTED | 1 matches |
| Cross-tool manipulation | Tool Poisoning | DETECTED | 1 matches |
| Vendor extension with instructions | Tool Poisoning | DETECTED | 1 matches |
| URL-encoded secret in path | URL Evasion | DETECTED | core_dlp |
| CRLF injection in URL | URL Evasion | DETECTED | crlf_injection |
| Overlong URL | URL Evasion | DETECTED | length |
| Path traversal | URL Evasion | DETECTED | path_traversal |
| ETH address in text body | Address Poisoning | DETECTED | 2 matches |
| Lookalike ETH address (homoglyph) | Address Poisoning | KNOWN LIMITATION | 2 matches |
| 12-word BIP-39 mnemonic | Seed Phrase | DETECTED | 1 matches |
| Hidden privilege escalation in skill body | Skill Poisoning | KNOWN LIMITATION | missed by DLP; response-scanning required |
| Secret split across two text scans | Split Payload | KNOWN LIMITATION | partial1=0 partial2=0 |
| Mixed-encoding chain (URL-encoded base64 of secret) | URL Evasion | DETECTED | dlp |
| Severity | Category | Source | Title / Detail | Remediation |
|---|---|---|---|---|
| HIGH | scanning | verify_install |
Verification check "browser_shield" failed: browser_shield is disabled in config
{
"check": "browser_shield",
"detail": "browser_shield is disabled in config",
"status": "fail"
}
|
Investigate why the browser_shield check failed. Run `pipelock diagnose` for detailed diagnostics. |
| HIGH | scanning | verify_install |
Verification check "file_sentry" failed: file_sentry is disabled in config
{
"check": "file_sentry",
"detail": "file_sentry is disabled in config",
"status": "fail"
}
|
Investigate why the file_sentry check failed. Run `pipelock diagnose` for detailed diagnostics. |
| HIGH | scanning | verify_install |
Verification check "mcp_binary_integrity_smoke" failed: mcp_binary_integrity is disabled in config
{
"check": "mcp_binary_integrity_smoke",
"detail": "mcp_binary_integrity is disabled in config",
"status": "fail"
}
|
Investigate why the mcp_binary_integrity_smoke check failed. Run `pipelock diagnose` for detailed diagnostics. |
| HIGH | scanning | verify_install |
Verification check "mcp_tool_provenance_smoke" failed: mcp_tool_provenance is disabled in config
{
"check": "mcp_tool_provenance_smoke",
"detail": "mcp_tool_provenance is disabled in config",
"status": "fail"
}
|
Investigate why the mcp_tool_provenance_smoke check failed. Run `pipelock diagnose` for detailed diagnostics. |
| HIGH | scanning | verify_install |
Verification check "scanning_injection" failed: injection detection did not trigger
{
"check": "scanning_injection",
"detail": "injection detection did not trigger",
"status": "fail"
}
|
Investigate why the scanning_injection check failed. Run `pipelock diagnose` for detailed diagnostics. |
| HIGH | scanning | verify_install |
Verification check "scanning_websocket" failed: websocket_proxy is disabled in config
{
"check": "scanning_websocket",
"detail": "websocket_proxy is disabled in config",
"status": "fail"
}
|
Investigate why the scanning_websocket check failed. Run `pipelock diagnose` for detailed diagnostics. |
| MEDIUM | Kill Switch | audit_score |
No kill switch sources configured — no emergency stop capability
|
Configure kill switch with multiple sources (config, API, sentinel file). |
| MEDIUM | MCP Tool Policy | audit_score |
Rule "Recursive Permission Change" matches high-risk tools but effective action is "warn" — consider 'block'
|
Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md. |
| MEDIUM | MCP Tool Policy | audit_score |
Rule "Network Exfiltration" matches high-risk tools but effective action is "warn" — consider 'block'
|
Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md. |
| MEDIUM | MCP Tool Policy | audit_score |
Rule "Package Install" matches high-risk tools but effective action is "warn" — consider 'block'
|
Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md. |
| MEDIUM | MCP Tool Policy | audit_score |
Rule "Detached Process Spawning" matches high-risk tools but effective action is "warn" — consider 'block'
|
Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md. |
| MEDIUM | MCP Tool Policy | audit_score |
Rule "Audit Log Tampering" matches high-risk tools but effective action is "warn" — consider 'block'
|
Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md. |
| MEDIUM | MCP Tool Scanning | audit_score |
Tool scanning action is "warn" — poisoned tool descriptions won't be blocked
|
Enable MCP tool scanning with `mcp_tool_scanning: {enabled: true, action: block}`. |
| MEDIUM | Redaction | audit_score |
Redaction is disabled — provider request/response bodies are not class-preserved
|
Enable class-preserving redaction with `redaction: {enabled: true, default_profile: <profile>}`. Configure a default profile and dictionaries, then set `strict_reload: true` for fail-closed dictionary failures. |
| MEDIUM | Request Body Scanning | audit_score |
Request body scanning action is "warn" — consider 'block' for enforcement
|
Enable request body scanning with `request_body_scanning: {enabled: true, action: block, scan_headers: true}` to catch secrets in POST/PUT bodies and authorization headers. |
| MEDIUM | Response Scanning | audit_score |
Response scanning action is "warn" — consider 'block' or 'ask' for enforcement
|
Enable response scanning with `response_scanning: {enabled: true, action: block}`. |
| INFO | Address Protection | audit_score |
Address protection is disabled — blockchain address poisoning is not detected
|
Enable blockchain address protection with `address_protection: {enabled: true, action: block, unknown_action: block, allowed_addresses: [<your-addresses>]}`. |
| INFO | Browser Shield | audit_score |
Browser shield is disabled — fetch responses are not stripped of DOM traps or tracking pixels
|
Enable browser shield with `browser_shield: {enabled: true, strictness: standard}`. Use `aggressive` for sensitive fetch destinations. |
| INFO | Cross-Request Detection | audit_score |
Cross-request detection is disabled — secrets split across multiple requests will not be reassembled
|
Enable cross-request detection with `cross_request_detection: {enabled: true, entropy_budget: {enabled: true}, fragment_reassembly: {enabled: true}}` to catch secrets split across requests. |
| INFO | File Sentry | audit_score |
File sentry is disabled — filesystem-watch DLP is inactive
|
Enable filesystem-watch DLP with `file_sentry: {enabled: true, watch_paths: [<sensitive-paths>]}`. |
| INFO | Flight Recorder | audit_score |
Flight recorder is disabled — no replayable per-decision evidence is produced
|
Enable tamper-evident decision recording with `flight_recorder: {enabled: true, sign_checkpoints: true, redact: true}`. |
| INFO | Git Protection | audit_score |
Git protection is disabled — pre-push secret scans and command gating are inactive
|
Enable git-aware protection with `git_protection: {enabled: true, pre_push_scan: true, blocked_commands: ["force-push"]}`. |
| INFO | Live-Lock Contracts | audit_score |
Live-lock contracts are disabled — agent behavior drift is not gated
|
Enable the live-lock contract gate with `learn_lock: {enabled: true, mode: live}`. Use `mode: shadow` first to observe drift before flipping to enforcement. |
| INFO | MCP Session Binding | audit_score |
MCP session binding is disabled — tool inventory changes mid-session won't be detected
|
Enable session binding with `mcp_session_binding: {enabled: true}`. |
| INFO | Mediation Envelope | audit_score |
Mediation envelope is disabled — no federation verification of inbound or signed receipts on outbound
|
Enable mediation envelope with `mediation_envelope: {enabled: true, sign: true, signing_key_path: <ed25519-key>}` to produce signed receipts that downstream verifiers can attest. |
| INFO | Sandbox | audit_score |
Sandbox is not enabled — agent processes run without containment
|
Enable sandbox mode with `sandbox: {enabled: true}` in your pipelock config. |
pipelock assess verify <run-dir> --agent <agent-name>