Server data from the Official MCP Registry
Check the danger grade of any public MCP server before you connect.
Check the danger grade of any public MCP server before you connect.
Valid MCP server (1 strong, 1 medium validity signals). 1 known CVE in dependencies Imported from the Official MCP Registry. 1 finding(s) downgraded by scanner intelligence.
6 files analyzed · 2 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-saagpatel-mcp-trust": {
"args": [
"mcp-trust"
],
"command": "uvx"
}
}
}From the project's GitHub README.
Check before you connect. A neutral, public danger grade for the MCP servers your AI agents rely on.
Live: mcp-trust.vercel.app
Not yet published to PyPI. Install from source using the Quickstart below.
mcp-trust runs as a read-only MCP server so an agent can check a server's
danger grade before connecting — it serves a baked snapshot of real,
sandboxed grades, so no database or network is needed.
mcp-trust mcp-serve # from a source/dev install (works today)
uvx mcp-trust mcp-serve # once published to PyPI
| Tool | Description |
|---|---|
list_servers | Every graded MCP server with its A-F grade, transparency, and danger score. |
check_server | Full grade, risk dimensions, and findings for one server by slug. |
get_methodology | How the A-F grade and transparency axis are computed, plus the honesty model. |
Connecting an MCP server hands it influence over what your agent does. Tool poisoning, prompt injection, over-broad permissions, and rug-pull tool mutations are documented attack classes -- and today there's no quick way to vet a server before you wire it in. MCP Trust Registry scans public MCP servers and gives each one a single readable danger grade (A-F), a separate transparency signal, and the findings behind them.
Think OSV.dev / Socket.dev / haveibeenpwned, scoped to MCP servers.
uv (used for dependency management and running the project)register a server -> scan via engine -> derive grade -> persist -> serve at a stable URL
The registry does not reimplement vulnerability detection. It orchestrates a
pluggable scan engine -- the shipping backend wraps the public
mcp-audits (>=2.1) package -- and owns the
catalog, the public trust-grade normalization, persistence, and the lookup API.
git clone https://github.com/saagpatel/mcp-trust.git && cd mcp-trust
uv pip install -e ".[dev]" # core + dev deps (runs on the built-in StubEngine)
mcp-trust seed # load the seed catalog
mcp-trust scan mcp-reference-time # scan a catalog server, print its grade
mcp-trust check mcp-reference-time # look up the latest stored grade
mcp-trust serve # serve the API on http://127.0.0.1:8000
For real scanning install the engine extra and select it:
uv pip install -e ".[dev,engine]"
MCP_TRUST_ENGINE=mcpaudit mcp-trust scan mcp-reference-time
Scanning launches the server's process. For untrusted servers, isolate execution in a locked-down container (no network, read-only fs, dropped caps, resource limits):
MCP_TRUST_ENGINE=mcpaudit MCP_TRUST_SANDBOX=docker mcp-trust scan mcp-reference-time
The default is no sandbox (safe only for servers you trust).
| Method | Path | Purpose |
|---|---|---|
GET | / | web -- public catalog page (grade + transparency per server) |
GET | /ui/servers/{slug} | web -- server detail page + README badge-embed snippet |
GET | /healthz | liveness |
GET | /servers | catalog + latest grade per server (JSON) |
GET | /servers/{slug} | full latest scan record + metadata (JSON) |
POST | /servers/{slug}/scan | operator scan trigger; public deployments disable this route |
GET | /servers/{slug}/badge.json | shields.io-compatible README badge |
Every server has two orthogonal signals: a danger grade (A-F) and a transparency level (high/medium/low, from annotation coverage). Automated grades are not endorsements, certifications, or claims that a server is malicious. A low grade on a low-transparency server means "cannot verify safe," not "known dangerous."
HTTP scan triggering is fail-closed by default. Public deployments should set
MCP_TRUST_PUBLIC_READONLY=1, which makes POST /servers/{slug}/scan return
403 before any engine can run. Operator scans should normally run through the
CLI against the persistent registry DB, not through public traffic.
For local API demos with the deterministic StubEngine, set
MCP_TRUST_ALLOW_UNAUTHENTICATED_STUB_SCANS=1. Do not set that in public.
Token-gated API scan triggering is still available for private operator surfaces
by setting MCP_TRUST_SCAN_TOKEN and passing it as Authorization: Bearer <token> or X-MCP-Trust-Scan-Token.
Set MCP_TRUST_RECEIPTS_DIR=/data/mcp-trust/receipts during real scan runs to
archive a JSON receipt for each scan and store its portable artifact filename in
report_ref.
Live at mcp-trust.vercel.app as a statically
generated catalog, regenerated from the local registry. The seven official
reference MCP servers carry real mcp-audits grades from network-off Docker
sandbox scans (distribution A/B/B/C/D/F/F). Every grade is labeled by
provenance, so demo/stub data can never read as a real scan, and an unscanned
server never shows a letter grade.
The static front door is the low-ops launch path (see
DEPLOY-VERCEL.md); a weekly launchd job under
deploy/launchd/ re-scans, rebuilds, and optionally
redeploys (deploy is opt-in). The live FastAPI service + VM path remains
documented in DEPLOY-VM.md as an alternative. See
SPEC.md for the full contract and LAUNCH-GATE.md
for launch history.
uv.lock is intentionally committed to the repository to ensure reproducible
installs across environments. When adding or updating dependencies, commit the
updated uv.lock alongside your pyproject.toml changes.
MIT
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.