Server data from the Official MCP Registry
No-account public website privacy risk scans with 20 new scans/day and free recent-result reuse.
No-account public website privacy risk scans with 20 new scans/day and free recent-result reuse.
Remote endpoints: streamable-http: https://mcp.certscore.ai/mcp/light
This monorepo contains a web scanning and risk signal analysis system with significant code quality concerns and several moderate security issues. While the project demonstrates thoughtful architecture and reasonable credential handling patterns (env vars, no hardcoded secrets), it exhibits poor input validation practices, overly broad permission scopes (unrestricted network access, broad database access, file system access), and insufficient error handling in critical validation paths. The scanner's ability to crawl arbitrary websites combined with lax validation of runtime artifacts creates data integrity and potential injection risks. Supply chain analysis found 4 known vulnerabilities in dependencies (0 critical, 1 high severity).
4 files analyzed · 15 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: NEXT_PUBLIC_APP_URL
Environment variable: BETTER_AUTH_SECRET
Environment variable: GOOGLE_CLIENT_SECRET
Environment variable: S3_REGION
Environment variable: DATABASE_URL
Environment variable: WORKER_CONCURRENCY
Environment variable: VALIDATION_OPENAI_MODEL
Environment variable: WEB_BOT_AUTH_ENABLED
Available as Local & Remote
This plugin can run on your machine or connect to a hosted endpoint. during install.
From the project's GitHub README.
CertScore (certscore.ai) is a production-minded MVP for scanning public websites for potential accessibility, privacy, cookie, policy, and disclosure risk signals. It is a risk signal and monitoring product, not a legal certification platform.
website-signal-risk-scanner/
├─ apps/
│ ├─ web/
│ └─ validation-worker/
├─ packages/
│ ├─ shared/
│ ├─ web-bot-auth/
│ ├─ db/
│ └─ ui/
├─ docs/
├─ .env.example
├─ turbo.json
├─ package.json
└─ pnpm-workspace.yaml
apps/web: product-facing web app and control-plane workflowsapps/validation-worker: active validation runtime owned by WC01packages/shared: shared constants, types, validators, scoring config, and scheduling helperspackages/web-bot-auth: server-only Web Bot Auth signing and key-directory helperspackages/db: PostgreSQL query helpers, migrations, seed SQL, and env helperspackages/ui: reusable UI primitivesWC01 is now the product/control-plane repo.
WS01WS01This monorepo should use apps/web/.env.local as the single local development runtime env:
Use .env.example only as a reference template for shared keys. Do not rely on a root .env.local for app runtime configuration.
Recommended environment split inside WC01:
Do not point localhost at the production database or production auth credentials unless you are intentionally testing production behavior.
Required for the web app:
NEXT_PUBLIC_APP_URLDATABASE_URLBETTER_AUTH_SECRETGOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRETS3_BUCKETS3_REGIONS3_ACCESS_KEY_IDS3_SECRET_ACCESS_KEYRequired for the validation runtime in WC01:
DATABASE_URLOPENAI_API_KEYOptional but recommended:
WORKER_CONCURRENCYPLAYWRIGHT_BROWSERS_PATHVALIDATION_OPENAI_MODELVALIDATION_NANO_MODELWEB_BOT_AUTH_ENABLEDWEB_BOT_AUTH_PRIVATE_KEY_PEMWEB_BOT_AUTH_SIGNATURE_AGENT_URLUse Node 20 or Node 22 LTS for local development. Node 25 is not supported here and can fail DNS resolution for app routes and external service calls on localhost.
pnpm installcp apps/web/.env.example apps/web/.env.localhttp://localhost:3000/api/auth/callback/googlehttp://127.0.0.1:3000/api/auth/callback/googlehttps://certscore.ai/api/auth/callback/google/auth/callback is only an app alias route; it is not the redirect URI Better Auth initiates with GoogleNEXT_PUBLIC_APP_URL should be http://localhost:3000S3_BUCKET.pnpm --filter @website-signal-risk-scanner/validation-worker exec playwright install chromiumpnpm dev:validationpnpm --filter @website-signal-risk-scanner/web devWS01 when you need the standalone scanner locally.localhost:3000:pnpm dev:scanner:localWC01:pnpm dev:allpnpm dev:validation:schedulerUse these commands before shipping changes:
pnpm turbo run typecheckpnpm turbo run buildValidation-specific checks:
pnpm --filter @website-signal-risk-scanner/validation-worker typecheckpnpm test:scan-pipelineThe scan pipeline test is deterministic and runs locally from apps/validation-worker/src/validation/pipeline.test.ts.
The normalized concern lifecycle in WC01 is documented in docs/normalized-concern-pipeline.md.
GitHub Actions workflow: .github/workflows/accessibility-validation.yml
worker-scan-pipeline-tests runs on pushes to main, pull requests, and manual dispatch. It installs Chromium, typechecks validation-worker, and runs pnpm test:scan-pipeline.live-validation-smoke runs after the deterministic job and executes pnpm --filter @website-signal-risk-scanner/validation-worker smoke:validation only when the runtime secrets are configured.Use these lightweight checks before first deployment validation:
pnpm dev:storage:localpnpm --filter @website-signal-risk-scanner/web check-envpnpm check-env:validationpnpm --filter @website-signal-risk-scanner/validation-worker check-envpnpm --filter @website-signal-risk-scanner/validation-worker check-runtimeFor local validation runs, pnpm dev:storage:local starts MinIO against the apps/web/.env.local S3 settings and creates the configured bucket when needed.
Run it alongside pnpm dev:scanner:local and pnpm dev:validation:worker.
Use this runtime smoke helper:
pnpm --filter @website-signal-risk-scanner/validation-worker schedulerThe full runtime QA sequence is documented in docs/runtime-validation.md. The validation pipeline design and deployment shape are documented in docs/validation-pipeline-plan.md. The validation crawler deployment and VM runbook is documented in docs/validation-ops-runbook.md. Cloudflare Verified Bot setup is documented in docs/cloudflare-web-bot-auth.md.
ConsentCheck can expose a signed HTTP Message Signatures key directory and sign outbound HTTP crawler requests for Cloudflare Verified Bot workflows.
Required configuration:
WEB_BOT_AUTH_ENABLEDWEB_BOT_AUTH_PRIVATE_KEY_PEMWEB_BOT_AUTH_SIGNATURE_AGENT_URLWEB_BOT_AUTH_EXPIRES_SECONDSWEB_BOT_AUTH_INCLUDE_NONCECommon commands:
pnpm web-bot-auth:generatepnpm web-bot-auth:printpnpm web-bot-auth:test-requestpnpm test:web-bot-authcertscore.aiconsentcheck.site is owned outside WC01 and must not be deployed by this repomain deploys through /.github/workflows/web-aws-ecs-deploy.ymlpnpm ops:check:deploy before or after topology changes to catch stale local assumptionspnpm ops:check:live against the public hosts to verify runtime target and revision alignment after deployWC01 for the primary scanner deploy pathWS01 for scanner runtime deploymentWC01 deployment guidance scoped to web and validation onlyWC01 validation runtime changesS3_BUCKETRecommended production trigger:
Command:
pnpm dev:validation:schedulerThe primary scanner scheduler now lives in WS01.
After deployment, validate in this order:
WS01 owns crawl, auditing, scoring, reporting, PDF generation, and scheduled sweep logic.Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.