Server data from the Official MCP Registry
CertScore MCP server for scan creation, findings, evidence, and domain lookup.
CertScore MCP server for scan creation, findings, evidence, and domain lookup.
This is a complex monorepo for a web risk scanning and analysis platform with legitimate business purposes. However, several security concerns warrant attention: hardcoded environment variable paths in documentation, potential data exfiltration through extensive runtime data collection without clear user consent mechanisms, overly broad permissions for database and environment variable access, and incomplete input validation in critical policy evaluation logic. The codebase demonstrates reasonable security structure (env-based config, auth integration) but lacks evidence of privacy-by-design and contains patterns that could enable unauthorized data exposure. Supply chain analysis found 4 known vulnerabilities in dependencies (0 critical, 1 high severity). Package verification found 1 issue (1 critical, 0 high severity).
4 files analyzed · 13 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Unverified package source
We couldn't verify that the installable package matches the reviewed source code. Proceed with caution.
Set these up before or after installing:
Environment variable: CERTSCORE_API_KEY
Environment variable: CERTSCORE_BASE_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"ai-certscore-mcp": {
"env": {
"CERTSCORE_API_KEY": "your-certscore-api-key-here",
"CERTSCORE_BASE_URL": "your-certscore-base-url-here"
},
"args": [
"-y",
"website-signal-risk-scanner"
],
"command": "npx"
}
}
}From the project's GitHub README.
CertScore (certscore.ai) is a production-minded MVP for scanning public websites for potential accessibility, privacy, cookie, policy, and disclosure risk signals. It is a risk signal and monitoring product, not a legal certification platform.
website-signal-risk-scanner/
├─ apps/
│ ├─ web/
│ └─ validation-worker/
├─ packages/
│ ├─ shared/
│ ├─ web-bot-auth/
│ ├─ db/
│ └─ ui/
├─ docs/
├─ .env.example
├─ turbo.json
├─ package.json
└─ pnpm-workspace.yaml
apps/web: product-facing web app and control-plane workflowsapps/validation-worker: active validation runtime owned by WC01packages/shared: shared constants, types, validators, scoring config, and scheduling helperspackages/web-bot-auth: server-only Web Bot Auth signing and key-directory helperspackages/db: PostgreSQL query helpers, migrations, seed SQL, and env helperspackages/ui: reusable UI primitivesWC01 is now the product/control-plane repo.
WS01WS01This monorepo should use apps/web/.env.local as the single local development runtime env:
Use .env.example only as a reference template for shared keys. Do not rely on a root .env.local for app runtime configuration.
Recommended environment split inside WC01:
Do not point localhost at the production database or production auth credentials unless you are intentionally testing production behavior.
Required for the web app:
NEXT_PUBLIC_APP_URLDATABASE_URLBETTER_AUTH_SECRETGOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRETS3_BUCKETS3_REGIONS3_ACCESS_KEY_IDS3_SECRET_ACCESS_KEYRequired for the validation runtime in WC01:
DATABASE_URLOPENAI_API_KEYOptional but recommended:
WORKER_CONCURRENCYPLAYWRIGHT_BROWSERS_PATHVALIDATION_OPENAI_MODELVALIDATION_NANO_MODELWEB_BOT_AUTH_ENABLEDWEB_BOT_AUTH_PRIVATE_KEY_PEMWEB_BOT_AUTH_SIGNATURE_AGENT_URLUse Node 20 or Node 22 LTS for local development. Node 25 is not supported here and can fail DNS resolution for app routes and external service calls on localhost.
pnpm installcp apps/web/.env.example apps/web/.env.localhttp://localhost:3000/api/auth/callback/googlehttp://127.0.0.1:3000/api/auth/callback/googlehttps://certscore.ai/api/auth/callback/google/auth/callback is only an app alias route; it is not the redirect URI Better Auth initiates with GoogleNEXT_PUBLIC_APP_URL should be http://localhost:3000S3_BUCKET.pnpm --filter @website-signal-risk-scanner/validation-worker exec playwright install chromiumpnpm dev:validationpnpm --filter @website-signal-risk-scanner/web devWS01 when you need the standalone scanner locally.localhost:3000:pnpm dev:scanner:localWC01:pnpm dev:allpnpm dev:validation:schedulerUse these commands before shipping changes:
pnpm turbo run typecheckpnpm turbo run buildValidation-specific checks:
pnpm --filter @website-signal-risk-scanner/validation-worker typecheckpnpm test:scan-pipelineThe scan pipeline test is deterministic and runs locally from apps/validation-worker/src/validation/pipeline.test.ts.
The normalized concern lifecycle in WC01 is documented in docs/normalized-concern-pipeline.md.
GitHub Actions workflow: .github/workflows/accessibility-validation.yml
worker-scan-pipeline-tests runs on pushes to main, pull requests, and manual dispatch. It installs Chromium, typechecks validation-worker, and runs pnpm test:scan-pipeline.live-validation-smoke runs after the deterministic job and executes pnpm --filter @website-signal-risk-scanner/validation-worker smoke:validation only when the runtime secrets are configured.Use these lightweight checks before first deployment validation:
pnpm dev:storage:localpnpm --filter @website-signal-risk-scanner/web check-envpnpm check-env:validationpnpm --filter @website-signal-risk-scanner/validation-worker check-envpnpm --filter @website-signal-risk-scanner/validation-worker check-runtimeFor local validation runs, pnpm dev:storage:local starts MinIO against the apps/web/.env.local S3 settings and creates the configured bucket when needed.
Run it alongside pnpm dev:scanner:local and pnpm dev:validation:worker.
Use this runtime smoke helper:
pnpm --filter @website-signal-risk-scanner/validation-worker schedulerThe full runtime QA sequence is documented in docs/runtime-validation.md. The validation pipeline design and deployment shape are documented in docs/validation-pipeline-plan.md. The validation crawler deployment and VM runbook is documented in docs/validation-ops-runbook.md. Cloudflare Verified Bot setup is documented in docs/cloudflare-web-bot-auth.md.
ConsentCheck can expose a signed HTTP Message Signatures key directory and sign outbound HTTP crawler requests for Cloudflare Verified Bot workflows.
Required configuration:
WEB_BOT_AUTH_ENABLEDWEB_BOT_AUTH_PRIVATE_KEY_PEMWEB_BOT_AUTH_SIGNATURE_AGENT_URLWEB_BOT_AUTH_EXPIRES_SECONDSWEB_BOT_AUTH_INCLUDE_NONCECommon commands:
pnpm web-bot-auth:generatepnpm web-bot-auth:printpnpm web-bot-auth:test-requestpnpm test:web-bot-authcertscore.aiconsentcheck.site is owned outside WC01 and must not be deployed by this repomain deploys through /.github/workflows/web-aws-ecs-deploy.ymlpnpm ops:check:deploy before or after topology changes to catch stale local assumptionspnpm ops:check:live against the public hosts to verify runtime target and revision alignment after deployWC01 for the primary scanner deploy pathWS01 for scanner runtime deploymentWC01 deployment guidance scoped to web and validation onlyWC01 validation runtime changesS3_BUCKETRecommended production trigger:
Command:
pnpm dev:validation:schedulerThe primary scanner scheduler now lives in WS01.
After deployment, validate in this order:
WS01 owns crawl, auditing, scoring, reporting, PDF generation, and scheduled sweep logic.Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.