MCP Security Score

Know if your MCP server is safe
before your users do

Paste a GitHub URL. Get a security score in under 60 seconds.

Free account required. Already have one?

Here's what a scan looks like

example/mcp-weather-server
Sample Report
82Grade B
47
files
12.3s
scan time
1 High3 Medium5 Low
Code Execution
100
Secrets
95
Supply Chain
85
MCP Tools
72

Top Findings

Hardcoded API key detected

src/config.ts:23

Missing input validation on tool

src/tools/search.ts:45

Fetch without timeout

src/tools/fetch.ts:12

AI AnalysisClaude

Trust Score76/100
Low prompt injection risk

Server fetches weather data from external API and returns formatted responses. No unexpected file system or network access detected.

Tool accepts arbitrary city names without validation
API responses are passed directly to output

How it works

1

Enter a GitHub URL or upload a ZIP

Public repositories work out of the box. Private repos coming soon.

2

Deep security analysis

43 security checks with AST parsing, plus AI-powered behavior verification.

3

Get a detailed report

Score, findings, remediation steps. Download PDF or integrate via API.

What we detect

43 security checks across 8 categories, built specifically for MCP servers.

Remote Code Execution

  • eval(), new Function()
  • child_process.exec(), shell commands
  • Dynamic imports with user input

Hardcoded Secrets

  • AWS, OpenAI, Anthropic, Stripe API keys
  • Passwords in connection strings
  • Private keys (RSA, SSH, PGP)

Supply Chain Risks

  • Known CVEs via OSV database
  • Typosquatting detection
  • Suspicious postinstall scripts

MCP-Specific Issues

  • Unbounded tool operations (no timeouts)
  • Missing input validation on tools
  • Dangerous tool names (exec, delete, admin)

AI-Powered Analysis

Claude

Claude analyzes your server's behavior and intent—catching risks that pattern matching alone can miss.

Behavior Verification

Does the code do what it claims? We check for hidden functionality.

Prompt Injection

Detects vulnerabilities where user input could manipulate AI behavior.

Trust Score

A single safety score combining all security signals.

Integrate into your pipeline

Use the API to scan on every push. Block deploys when the security score drops below your threshold.

  • REST API with Bearer token auth
  • Pro: 100 requests/day, Team: 500/day
  • JSON response with full findings
CI/CD Integration
# Start a scan
curl -X POST https://mcpscanner.com/api/v1/scan \
  -H "Authorization: Bearer mcp_sk_..." \
  -H "Content-Type: application/json" \
  -d '{"url": "github.com/your/mcp-server"}'

# Response: {"scanId": "scan_abc123", "status": "pending"}

# Poll for results
curl https://mcpscanner.com/api/v1/scan/scan_abc123 \
  -H "Authorization: Bearer mcp_sk_..."

# Use in CI: fail if score < 70
SCORE=$(curl -s .../scan/scan_abc123 | jq '.score')
if [ "$SCORE" -lt 70 ]; then exit 1; fi

Three ways to scan

GitHub URL

Paste any public repository URL. We clone and scan automatically.

ZIP Upload

Upload a ZIP of your code. Perfect for local or private projects.

REST API

Integrate into CI/CD. Block deploys on low scores. Pro plan required.

43 security checksTypeScript + PythonAI-powered analysisFree tier: 5 scans/month

Ready to scan your MCP server?

Start with 5 free scans. No credit card required.