High-trust MCP slice
Workspace MCP Security Audit
A $1,000 fixed-price review for MCP servers and agent tools that connect to email, calendar, chat, docs, drive, CRM, tickets, and other sensitive workspace systems.
PriceUSD $1,000 fixed
TargetEmail, calendar, chat, docs, drive MCP
RiskOrg data, messages, invites, files, secrets
OutputBoundary map + issue-ready fix plan
Why this is sensitive
Workspace agents cross private data and write actions
Workspace MCP servers often combine broad read access with send, update, upload, invite, comment, or publish actions. That makes permission boundaries and redaction behavior more important than generic agent testing.
Read-only search/list tools separated from send, update, upload, invite, comment, and delete tools
OAuth scope mapping, token storage assumptions, tenant boundaries, and revocation behavior
Secret and sensitive-content redaction across logs, errors, telemetry, and agent-visible output
Prompt/tool injection tests for emails, documents, tickets, chat messages, and calendar descriptions
Remote transport exposure, trusted clients, auth layer, and workspace admin assumptions
Retry behavior for sends, edits, uploads, invitations, and other non-idempotent actions
Sprint path
48-hour target after scope and payment
- Open an intake with the repo, integration docs, or sanitized workspace tool slice.
- Public GitHub repo intakes receive an automated no-execution scanner triage comment.
- Scope is accepted around one workspace MCP surface.
- Payment is confirmed before private review work starts.