Server data from the Official MCP Registry
Verify a skill, tool, or package for malicious behavior before your agent installs it. Hosted.
Verify a skill, tool, or package for malicious behavior before your agent installs it. Hosted.
Remote endpoints: streamable-http: https://lazaretto.dev/mcp
Valid MCP server (2 strong, 2 medium validity signals). No known CVEs in dependencies. Imported from the Official MCP Registry. 1 finding(s) downgraded by scanner intelligence.
2 tools verified · Open access · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Remote Plugin
No local installation needed. Your AI client connects to the remote endpoint directly.
Add this to your MCP configuration to connect:
{
"mcpServers": {
"io-github-jamesdfinance-dev-lazaretto": {
"url": "https://lazaretto.dev/mcp"
}
}
}From the project's GitHub README.
An MCP server that lets an agent verify a skill, tool, or package before it installs it. It is a thin front end for the Lazaretto API. It ships no detection logic and does nothing but make HTTPS requests, so it is easy to audit.
known_bad_lookup: free, no key. Is a sha256 content hash a known-bad
artifact? Exact-hash match against an indicator store refreshed daily.scan_artifact: fetches a target (npm package, GitHub repo, ClawHub
skill, raw URL, or inline text) without running it and returns a deterministic
verdict (malicious, flagged, clear, error) with evidence. A full scan
needs prepaid credits (set an X-API-Key header). Buy them at
https://lazaretto.dev/#pricing.Reports are signals with evidence, not a warranty. clear means no known-bad
match and no rule fired. It is not a statement about risk.
The server is hosted at https://lazaretto.dev/mcp. Add it to any MCP client
that supports remote (Streamable HTTP) servers. Nothing to install, no local
process.
{
"mcpServers": {
"lazaretto": {
"url": "https://lazaretto.dev/mcp",
"headers": {
"X-API-Key": "your-prepaid-key (optional; known_bad_lookup is free)"
}
}
}
}
known_bad_lookup works with no key. scan_artifact needs credits: buy a bundle
at https://lazaretto.dev/#pricing (an agent can also do this itself over x402 at
POST https://lazaretto.dev/v1/credits/topup).
If you would rather run it locally over stdio instead of the hosted URL:
git clone https://github.com/jamesdfinance-dev/lazaretto-mcp
cd lazaretto-mcp && npm install
LAZARETTO_API_KEY=your-key node index.mjs
LAZARETTO_BASE_URL overrides the API host (default https://lazaretto.dev).
MIT. The Lazaretto service and its detection engine are separate and proprietary.
Be the first to review this server!
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
by Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption