How MCP Security Score Works

MCP Security Score uses a multi-stage analysis pipeline to comprehensively evaluate the security of your MCP servers. This page explains each stage of the scanning process.

Overview

The scanning process consists of four main stages:

1. Repository Acquisition - Get your code
2. Static Analysis - Pattern-based security checks
3. AI Analysis - Behavioral and semantic analysis
4. Scoring - Calculate your security grade

Stage 1: Repository Acquisition

GitHub Repositories

When you submit a GitHub URL:

1. We validate the URL format
2. Check if the repository exists and is accessible
3. Perform a shallow clone (git clone --depth 1)
4. Clone to a temporary directory on our servers

Limits:

• Repository must be public (or you need Pro for private repos)
• Maximum clone time: 30 seconds
• Maximum repository size: ~100MB

ZIP Upload

When you upload a ZIP file:

1. Validate the file is a valid ZIP archive
2. Check compressed size (max 4.5MB)
3. Extract to temporary directory
4. Validate extracted size (max 50MB, zip bomb protection)
5. Skip irrelevant files (node_modules, .git, binaries)

Stage 2: File Discovery

Once we have your code, we discover scannable files:

Supported File Types

JavaScript/TypeScript:

• .ts, .tsx, .js, .jsx, .mjs, .cjs
• package.json, tsconfig.json

Python:

• .py, .pyw
• requirements.txt, setup.py, pyproject.toml, Pipfile

MCP Entry Point Detection

We identify MCP server entry points by looking for:

• server.ts, server.js, index.ts, index.js
• server.py, main.py, mcp.py, __main__.py
• Files importing @modelcontextprotocol/sdk or mcp

File Limits

• Maximum 500 files scanned per repository
• Maximum 1MB per file
• Skip binary files, images, lock files

Stage 3: Static Analysis

Our static analysis engine runs 43 security checks across your code:

How Checks Work

Each check follows this pattern:

1. Target Selection - Determine which files to analyze based on extensions
2. Pattern Matching - Use regex or AST parsing to find issues
3. Context Analysis - Filter out false positives (comments, test files)
4. Result Generation - Create finding with location, severity, remediation

Check Categories

| Category | Checks | What It Detects | |----------|--------|-----------------| | RCE | 5 | eval(), exec(), child_process, dynamic imports | | Secrets | 3 | API keys, passwords, private keys in code | | Network | 3 | Disabled TLS, hardcoded IPs/URLs | | Filesystem | 2 | Sensitive paths, path traversal | | Supply Chain | 6 | CVEs, typosquatting, suspicious scripts | | MCP (TS) | 6 | Excessive tools, missing validation | | Python | 11 | pickle, yaml.load, SQL injection | | MCP (Python) | 7 | Subprocess in tools, missing descriptions |

Detection Methods

Regex-Based:

• Fast pattern matching for known dangerous patterns
• Example: Detecting AKIA[0-9A-Z]{16} for AWS keys

AST-Based:

• Parse code into Abstract Syntax Tree
• Understand code structure, not just text
• Powered by Tree-sitter (TypeScript, JavaScript, Python)

Dependency Analysis:

• Parse package.json and requirements.txt
• Query OSV API for known CVEs
• Detect typosquatting attempts

Stage 4: AI Analysis

When enabled, our AI analysis provides deeper insights:

Behavioral Analysis

Using Claude, we analyze your MCP server to understand:

• What it does - Summary of capabilities
• Trust Score - AI's confidence in the server's safety (0-100)
• Detected Risks - Behavioral concerns not caught by static analysis
• Recommendations - Security improvements to consider

Prompt Injection Detection

We specifically look for:

• User input flowing to AI prompts without sanitization
• Tool descriptions that could be manipulated
• Potential for indirect prompt injection attacks

Report Summary

AI generates:

• Executive Summary - High-level overview for stakeholders
• Key Findings - Most important issues to address
• Risk Assessment - Overall risk level
• Prioritized Actions - What to fix first

Stage 5: Scoring

Score Calculation

Your security score starts at 100 and deducts points per finding:

| Severity | Deduction | |----------|-----------| | Critical | -20 points | | High | -12 points | | Medium | -6 points | | Low | -3 points | | Info | -1 point |

Diminishing returns: After 50 points deducted in a category, further deductions are reduced to prevent instant zero scores.

Category Weighting

Final score is weighted by category importance:

| Category | Weight | |----------|--------| | Tool Permissions (RCE, Auth) | 25% | | Input Handling (Filesystem, Data) | 25% | | Dependencies (Supply Chain) | 20% | | Code Patterns (Network, Secrets) | 15% | | Transparency (MCP-Specific) | 15% |

Safety Score

When AI analysis is enabled, we calculate a Safety Score that combines:

• 60% - Static analysis score
• 40% - AI trust score

This provides a more holistic view of your MCP server's security.

Grade Assignment

| Score | Grade | Meaning | |-------|-------|---------| | 90-100 | A | Excellent security posture | | 80-89 | B | Good, minor improvements possible | | 70-79 | C | Fair, some issues to address | | 60-69 | D | Poor, significant issues found | | 0-59 | F | Critical vulnerabilities present |

Cleanup

After each scan:

1. Temporary files are deleted
2. No code is retained on our servers
3. Results are stored in your account
4. Optional 24-hour caching for repeat scans

Performance

Typical scan times:

| Repository Size | Time | |-----------------|------| | Small (under 50 files) | 10-20 seconds | | Medium (50-200 files) | 20-40 seconds | | Large (200-500 files) | 40-60 seconds |

AI analysis adds approximately 10-20 seconds.

Next Steps

• Understanding Scores - Detailed score interpretation
• Security Checks - Reference for all 43 checks
• API Reference - Automate scans programmatically