Is Contract Auditor free?

Yes, Contract Auditor is free to use.

How do I install Contract Auditor?

Contract Auditor is a local plugin. Install it using npm package: contract-auditor-mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What AI apps work with Contract Auditor?

Contract Auditor uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Contract Auditor MCP Server

by Baneado98

Developer ToolsModerate6.8MCP RegistryLocal

Free

Server data from the Official MCP Registry

Smart-contract security quick-scan: rug, honeypot & owner-power risk before you fund it.

About

Smart-contract security quick-scan: rug, honeypot & owner-power risk before you fund it.

Security Report

6.8

Moderate6.8Moderate Risk

Valid MCP server (4 strong, 4 medium validity signals). 4 known CVEs in dependencies (0 critical, 3 high severity) Package registry verified. Imported from the Official MCP Registry.

7 files analyzed · 5 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

env_vars

Check that this permission is expected for this type of plugin.

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-baneado98-contract-auditor": {
      "args": [
        "-y",
        "contract-auditor-mcp"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

contract-auditor 🛡️

Quick-scan a smart contract for rug / honeypot / centralization risk before you approve or send funds.

contract-auditor is an MCP server and a pay-per-call x402 HTTP API. Give it a deployed contract address + chain (or raw Solidity source) and it returns a SAFE / CAUTION / HIGH-RISK verdict with an explained risk score.

It combines three things an AI agent can't gather on its own from a chat:

Verified source from Sourcify (key-less, multi-chain) — or the absence of it (a strong red flag).
Live on-chain state via public RPC — is there code at all? Is it an upgradeable proxy (owner can swap the code)? Who is the owner, and is it a single EOA, a multisig, or renounced?
Heuristic Solidity scan for the real ways a contract takes or freezes your funds.

⚠️ Heuristic quick-scan, not a formal audit. Absence of findings is not proof of safety. Always do your own research before sending funds.

What it catches


🔁 Upgradeable proxy	EIP-1967 / 1167 / beacon — the owner can replace the audited code
👑 Owner powers	mint, pause, blacklist, owner-adjustable fees/tax, max-tx limits, trading on/off, withdraw/sweep
💀 Dangerous primitives	`selfdestruct`, `delegatecall`, `tx.origin` auth, arbitrary external calls, inline assembly
🍯 Honeypot signals	can't-sell patterns: blacklist + uncapped tax + trading switch + wallet/tx caps
🔓 Owner status	live on-chain: renounced, single EOA (one key), or multisig/timelock?
❓ Unverified	no verified source on Sourcify = you can't read what you're trusting

Use as an MCP server (free)

{
  "mcpServers": {
    "contract-auditor": { "command": "npx", "args": ["-y", "contract-auditor-mcp"] }
  }
}

Tool: audit_contract — params: address, chain (alias or chainId), source (optional raw Solidity), deep (boolean).

Or connect over HTTP at POST /mcp.

Free HTTP API

GET https://contract-auditor-ivory.vercel.app/audit?address=0xdAC17F958D2ee523a2206206994597C13D831ec7&chain=ethereum
GET https://contract-auditor-ivory.vercel.app/audit?address=0x...&chain=base

Supported chains: ethereum, base, optimism, arbitrum, polygon, bsc, avalanche, gnosis, celo (or a numeric chainId). Free tier is rate-limited to 30 requests/hour/IP.

Pay-per-call (x402)

The /pro/audit route is gated by x402. Your agent pays $0.25 USDC per call automatically — no sign-up, no API key — settling on-chain (USDC on Base) to the operator wallet.

GET /pro/audit?address=0x...&chain=ethereum   # 402 → pay → result

How it works (honest about the limits)

Source is fetched from Sourcify by (chainId, address). If a contract is only verified on a native explorer and not mirrored to Sourcify, it shows as unverified here — pass the source directly to scan it.
On-chain checks use public RPCs (best-effort, community endpoints). If a chain's RPC is briefly down the audit degrades to a source-only verdict.
The Solidity scan is static pattern/heuristic analysis with comment-stripping and owner-gating context. It is tuned for low false-alarm on well-known patterns, but it is not symbolic execution or a formal verifier.

License

MIT

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Contract Auditor MCP Server

About

Security Report

Findings (5)Action required

Permissions Required

How to Install

Documentation

contract-auditor 🛡️

What it catches

Use as an MCP server (free)

Free HTTP API

Pay-per-call (x402)

How it works (honest about the limits)

License

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent

mcp-creator-typescript