Server data from the Official MCP Registry
Scan any public GitHub MCP-server repo for security issues. 37 MCP-specific L1 rules, 8 languages.
Scan any public GitHub MCP-server repo for security issues. 37 MCP-specific L1 rules, 8 languages.
Remote endpoints: streamable-http: https://scan.compuute.se/mcp/
Well-structured API wrapper around compuute-scan with strong input validation, proper error handling, and transparent framing about static analysis limitations. Code quality is high and permissions align with purpose. Minor concerns around subprocess invocation and in-memory caching do not substantially impact security posture for this category. Supply chain analysis found 4 known vulnerabilities in dependencies (0 critical, 3 high severity).
7 files analyzed · 9 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Available as Local & Remote
This plugin can run on your machine or connect to a hosted endpoint. during install.
From the project's GitHub README.
Scan-as-a-Service for MCP servers. HTTP + MCP wrapper around compuute-scan — the MCP-specific static security scanner. Designed for agent-callable consumption.
POST a public GitHub repo URL → get a structured security report scored against 37 MCP-specific rules across 8 languages (TS/JS, Python, Go, Rust, C#, Java, Kotlin).
Honesty note (read first): compuute-scan is a pattern-breadth detector, not an exploitability oracle. Historic false-positive rate after manual validation is ~90% on raw output (verified against modelcontextprotocol/servers: 138 raw findings → 13 confirmed). Every response carries a
_disclaimerfield stating this explicitly. Use findings as a triage queue, not as a list of confirmed vulnerabilities. See docs/FP-RATES.md for per-rule transparency.
Live at https://scan.compuute.se. Service version reported by /v1/health.
| Method | Path | Purpose | Auth |
|---|---|---|---|
| POST | /v1/scan | Scan a public GitHub MCP-server repo (free tier, rate-limited) | none |
| POST | /v1/scan/pay | Same as above via x402 micropayment ($0.10 USDC on Base L2) | X-Payment header |
| GET | /v1/scan/info | Scanner version + limits + supported ecosystems | none |
| GET | /v1/health | Liveness + scanner-binary availability | none |
| Method | Path | Purpose |
|---|---|---|
| GET | /openapi.json | OpenAPI v3 spec with per-field descriptions |
| GET | /docs | Swagger UI for the OpenAPI spec |
| Endpoint | Tool | Transport |
|---|---|---|
/mcp/ | scan_mcp_server(github_url) | Streamable HTTP |
Install in Claude Code: claude mcp add compuute-scan --transport http --url https://scan.compuute.se/mcp/
/.well-known/)| Path | Format | Consumer |
|---|---|---|
/.well-known/agent.json | A2A Agent Card | Google A2A protocol |
/.well-known/agent-card.json | A2A Agent Card (alias) | A2A clients using -card.json naming |
/.well-known/ai-plugin.json | OpenAI plugin manifest | ChatGPT / OpenAI tools |
/.well-known/x402.json | x402 payment manifest | Coinbase Agent.market crawlers, x402 aggregators |
/.well-known/x402 | Alias of x402.json | x402 probes without .json suffix |
/llms.txt | markdown summary | LLM-driven agent-search crawlers (Exa, Perplexity-style) per llmstxt.org |
/robots.txt | crawler policy | search engines |
/sitemap.xml | URL index | search engines |
curl -X POST https://scan.compuute.se/v1/scan \
-H 'Content-Type: application/json' \
-H 'Idempotency-Key: 00000000-0000-0000-0000-000000000001' \
-d '{"repo_url": "https://github.com/modelcontextprotocol/servers"}'
Response (truncated):
{
"repo_url": "https://github.com/modelcontextprotocol/servers",
"scanner": {"name": "compuute-scan", "version": "0.6.2", "layers_covered": ["L0", "L1"]},
"summary": {"critical": 1, "high": 94, "medium": 22, "low": 0, "files_scanned": 77},
"score": 0,
"recommendation": "AVOID — 1 critical and 94 high finding(s)...",
"top_findings": [...],
"performance": {"clone_seconds": 1.2, "scan_seconds": 0.5, "repo_size_bytes": 41234},
"_disclaimer": "PATTERN MATCH — compuute-scan is a static analyzer..."
}
| Feature | How |
|---|---|
| Idempotent retries (24h cache) | Idempotency-Key header |
| HTTP cache | ETag + Cache-Control: public, max-age=1800 |
| Conditional GET | If-None-Match → 304 Not Modified |
| Rate-limit headers | X-RateLimit-Limit/Remaining/Reset |
| Strict input validation | Pydantic extra="forbid", GitHub-HTTPS-only |
| OWASP security headers | HSTS / X-Frame-Options / X-Content-Type-Options / CSP / Referrer-Policy / Permissions-Policy |
| OpenAPI for discovery | GET /openapi.json with descriptions on every field |
| MCP for agent discovery | /mcp/ exposes scan_mcp_server tool |
| x402 for autonomous purchase | /v1/scan/pay returns 402 with USDC/Base payment requirements |
| Honest framing | Every response carries _disclaimer — pattern match, not exploitability claim |
| Tier | Audience | Price |
|---|---|---|
| Open Source CLI | Indie devs, agent builders | $0 — npx compuute-scan ./repo |
| Hosted API (free) | Agent operators evaluating MCP servers | $0 — POST /v1/scan, rate-limited |
| Hosted API (x402) | Autonomous agents in Agent.market ecosystem | $0.10 USDC/scan — POST /v1/scan/pay |
| MCP Security Audit | Enterprises shipping MCP to production | $5K–$30K SoW |
| AI Procurement Risk Audit | CFO/CTO/CISO buying enterprise AI capacity | $5K–$15K SoW |
Full breakdown with JSON-LD: https://compuute.se/pricing.
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
export COMPUUTE_SCAN_PATH=$HOME/compuute-scan/compuute-scan.js
uvicorn main:app --reload
pytest tests/ -v
# 34 tests covering scan, x402, MCP, discovery, OpenAPI
| Script | What it does |
|---|---|
scripts/precheck.sh | Start-of-session check: branch, working tree, tests, live state, next backlog item |
scripts/postcheck.sh | End-of-session check: committer hygiene, tests, append to docs/PROGRESS.md |
scripts/status.sh | 30-second live-state check against scan.compuute.se (4 probes) |
scripts/sbom.sh | Generate CycloneDX SBOM, optionally upload to a GitHub Release |
scripts/prospect-research.sh | Pull qualified prospects from GitHub + Anthropic Registry, draft DM angles |
scripts/measure-tiers.sh | T0/T1/T2 distribution snapshot per docs/agent-economy-strategy.md §5 — reach, engagement, conversion measured against Railway logs + Base RPC + GitHub stars |
api/services/scan.py — clone + sandbox + scan + parse. Pure functions.api/services/x402_service.py — x402 verify / settle via Coinbase facilitator.api/serializers/scan_serializer.py — Pydantic models, strict validation.api/routes/scan.py — HTTP layer for /v1/scan: idempotency, cache, ETag.api/routes/scan_x402.py — HTTP layer for /v1/scan/pay.api/routes/discovery.py — /.well-known/*, /robots.txt, /sitemap.xml.api/mcp_server.py — FastMCP server exposing scan_mcp_server.main.py — FastAPI wiring + middleware (security headers, CORS).Bundled compuute-scan version is pinned in the Dockerfile (ARG COMPUUTE_SCAN_REF=v0.6.2).
| Doc | For |
|---|---|
| docs/agent-economy-strategy.md | The strategic doc — a16z-verified data, the 11-signal buyer-agent model, two-track strategy, 30-day pivot trigger. Read first if you're trying to understand the company. |
| docs/STRATEGY.md | Position, pricing tiers, roadmap, decision log |
| docs/ARCHITECTURE.md | Component diagram, request flow, threat model, deployment topology |
| docs/DEVELOPMENT.md | Local setup, layout, code style, common pitfalls — onboard a new dev in 30 min |
| docs/MONITORING.md | Endpoints to watch, automated checks, runbook for failures |
| docs/FP-RATES.md | Per-rule false-positive transparency |
| docs/scan-self-triage.md | What this scanner reports when run against its own code |
| docs/whitepaper/ | MCP Security Methodology v1.0 (Markdown + PDF) |
| docs/case-studies/ | Three anonymized engagement reports from the May 2026 batch |
| docs/advisories/ | Public advisories under the COMPUUTE-YYYY-NNN numbering |
| docs/security/ | Self-pentest reports (90-day cadence) |
| docs/audits/ | The AI Procurement Risk Audit checklist (lead magnet) |
| docs/compliance/ | SOC 2 Type I readiness statement, TSC control mapping |
| docs/submissions/ | LangChain + CrewAI tool wrappers ready for PR/marketplace |
| skills/compuute-scan/ | Claude Skill package (SKILL.md + scan.sh) — submitted to anthropics/skills#1346 |
| CODE_OF_CONDUCT.md | Contributor Covenant 2.1 |
| docs/launches/ | Show HN draft + posting checklist |
| docs/setup/ | Status page (BetterStack) + analytics (PostHog) setup guides |
| docs/agentic-market-submission.md | Three paths to Coinbase Agent.market listing |
| BACKLOG.md | GitHub Issues + Project board roadmap |
| IDEAS.md | Composted product hypotheses with gating rules |
| CONTRIBUTING.md | How to contribute |
| SECURITY.md | Vulnerability disclosure policy (90-day window) |
Found a vulnerability? See SECURITY.md — email security@compuute.se. We follow a 90-day coordinated disclosure window.
MIT (matches compuute-scan).
Compuute AB — daniel@compuute.se
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.