yashash4/reef-mcp-registry

★ 12PythonAudience · ops devopsComplexity · 4/5ActiveLicenseSetup · moderate

Mindmap

mindmap
  root((reef-mcp-registry))
    Inputs
      MCP servers
      Agent traffic
      Audit log
    Outputs
      Signed registry
      Blocked attacks
      Insurance PDF
    Use Cases
      MCP supply-chain check
      Outbound data block
      Cyber insurance prep
    Tech Stack
      Python
      Sigstore
      MCP
      Merkle tree

mindmap root((reef-mcp-registry)) Inputs MCP servers Agent traffic Audit log Outputs Signed registry Blocked attacks Insurance PDF Use Cases MCP supply-chain check Outbound data block Cyber insurance prep Tech Stack Python Sigstore MCP Merkle tree

Things people build with this

USE CASE 1

Block an AI agent from calling a tampered or unsigned MCP server before the handshake

USE CASE 2

Strip risky markdown images and deny outbound domains for an AI agent in real time

USE CASE 3

Generate a signed PDF risk artifact mapping agent behaviour to OWASP and MITRE frameworks

USE CASE 4

Run integration tests that replay four known MCP attack patterns against the registry

Tech stack

PythonSigstoreMCPVercel

Getting it running

Difficulty · moderate Time to first run · 30min

Hackathon-grade stack: Python registry plus a runtime proxy, with sample data and integration tests but several moving parts to wire up.

MIT license, do almost anything with the code as long as you keep the copyright notice.

In plain English

Reef is a hackathon project (built for TechEx 2026) aimed at two linked problems in the world of AI agents that can call external tools. The first problem is supply-chain safety: when an agent reaches out to a Model Context Protocol (MCP) server to use a tool, it has no easy way of knowing whether that tool has been tampered with. The second problem is insurance: most cyber-insurance policies in 2026 explicitly exclude AI agents, so a company that deploys a fleet of them cannot get a normal policy to cover the risk. Reef tries to address both at once. The first layer is a Sigstore-style signed registry of MCP servers, paired with a runtime checker. When an agent tries to connect to a tool that is poisoned or unsigned, Reef blocks the handshake before any tool call is made. The README points at a real-world example: a flaw in Anthropic's MCP that OX Security disclosed in April 2026, which affected over seven thousand publicly reachable servers. Reef claims to block this attack and three others (an EchoLeak-style email exfiltration, a Markdown-image leak trick, and a tool-chain drift attack) at one hundred percent in its test suite, with the unprotected baseline blocking zero percent. The second layer sits between the AI and the outside internet, based on a project called Lobster Trap. It can strip out sneaky markdown images, deny outbound connections to specific domains, and fail closed when the agent tries to leak data, all in roughly one second. The third layer is the part aimed at insurance brokers. After the agent fleet has run for a while, Reef produces a six-page signed PDF called the Reef Insurance Artifact (RIA). The PDF lists every agent, model, MCP server, tool, and policy version in the fleet, maps the agent's behaviour to the OWASP Agentic Top 10 and MITRE ATLAS frameworks, shows a thirty-day attack heatmap pulled from a Merkle-tree audit log, and ends with a risk tier and a rough premium range. The risk tier is anchored on Munich Re's published AI insurance framework, but the README is careful to say the premium range is an estimate and not a real Lloyd's of London quote. The code is MIT licensed, written mostly in Python, and ships with sample data, integration tests that anyone can re-run, and a live demo at reef-mcp-registry.vercel.app.

Copy-paste prompts

Prompt 1

Walk me through cloning reef-mcp-registry and running its integration tests for the four MCP attack patterns locally.

Prompt 2

Show me how to register a new MCP server with the Reef signed registry and have an agent verify the signature.

Prompt 3

Explain how the Lobster Trap layer in Reef strips markdown images and blocks outbound exfiltration in roughly one second.

Prompt 4

Help me read the Reef Insurance Artifact PDF and map its OWASP Agentic Top 10 and MITRE ATLAS sections to my agent fleet.

Prompt 5

Build a small Python demo that connects to a poisoned MCP server through Reef and confirms the handshake is blocked.

Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.