Server data from the Official MCP Registry
x402-paid domain verification for AI agents — trustscore, SSL, security headers, robots.
x402-paid domain verification for AI agents — trustscore, SSL, security headers, robots.
Valid MCP server (2 strong, 4 medium validity signals). 3 known CVEs in dependencies ⚠️ Package registry links to a different repository than scanned source. Imported from the Official MCP Registry. 1 finding(s) downgraded by scanner intelligence.
7 files analyzed · 4 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: WALLET_PRIVATE_KEY
Environment variable: TRUSTSOURCE_API_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-surfether-trustsource": {
"env": {
"WALLET_PRIVATE_KEY": "your-wallet-private-key-here",
"TRUSTSOURCE_API_URL": "your-trustsource-api-url-here"
},
"args": [
"-y",
"trustsource-mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
x402-powered verification APIs for AI agents — URL safety, email authentication, domain trust, SSL/TLS, security headers, robots.txt. Pay per use, no API keys, no accounts.
npm install
cp .env.example .env
Open .env and set at minimum:
PAY_TO_ADDRESS=0xYourBaseWalletAddress
Leave everything else as-is to run on Base Sepolia testnet (no real money).
npm run dev
You should see the startup banner at http://localhost:3000.
curl http://localhost:3000/
curl http://localhost:3000/health
curl http://localhost:3000/trustscore?domain=example.com
# Returns HTTP 402 with payment instructions in the PAYMENT-REQUIRED header
The x402 testnet facilitator at https://x402.org/facilitator accepts test payments.
To fully test the payment flow, use an x402 client with a funded testnet wallet.
Get Base Sepolia testnet ETH: https://sepolia.base.org/faucet
Get testnet USDC: https://faucet.circle.com (select Base Sepolia)
In .env, change:
NETWORK=eip155:8453
FACILITATOR_URL=https://api.cdp.coinbase.com/platform/v2/x402
CDP_API_KEY_ID=your-key-id
CDP_API_KEY_SECRET=your-key-secret
Make sure your PAY_TO_ADDRESS Base wallet has some ETH for gas.
Your endpoints auto-list in the Bazaar/Agentic.Market after the first paid call clears.
GET /urlcheckOne composite CLEAR / REVIEW / BLOCK safety verdict on any URL, fusing domain trust, a live TLS check, and typosquat/lookalike detection.
Payment: 0.01 USDC per call (via x402)
Params:
?url=https://example.com — URL to vet?domain=example.com — bare domain (alternative)Response:
{
"domain": "paypa1.com",
"verdict": "BLOCK",
"score": 12,
"maxScore": 100,
"reasons": ["possible lookalike of paypal.com (homoglyph_substitution, confidence 0.90)"],
"signals": {
"domainTrust": { "score": 12, "tier": "HIGH_RISK", "ageDays": 3, "newlyRegistered": true },
"tls": { "reachable": true, "valid": true, "tier": "VALID", "daysRemaining": 60 },
"typosquat": { "isLookalike": true, "nearestBrand": "paypal.com", "technique": "homoglyph_substitution", "confidence": 0.9 }
},
"meta": { "checkedAt": "...", "apiVersion": "1.0", "paidWith": "x402/USDC", "cached": false }
}
Verdicts: CLEAR (safe) · REVIEW (inspect before acting) · BLOCK (do not proceed)
GET /emailtrustEmail-authentication posture grade (SPF/DKIM/DMARC/BIMI/MX) — is this sender domain spoofable?
Payment: 0.003 USDC per call (via x402)
Params:
?domain=example.com — sender domain (or user@example.com)Response:
{
"domain": "example.com",
"grade": "C",
"score": 45,
"maxScore": 100,
"spoofable": true,
"spf": { "present": true, "qualifier": "~all", "multiple": false },
"dmarc": { "present": true, "policy": "none", "pct": 100, "rua": true },
"dkim": { "present": true, "selectorsFound": ["default"] },
"bimi": false,
"mx": ["mail.example.com"],
"issues": ["dmarc_p_none_no_enforcement"],
"meta": { "checkedAt": "...", "apiVersion": "1.0", "paidWith": "x402/USDC", "cached": false }
}
Grades: A/B = enforced, not spoofable · C/D = monitoring only, spoofable · F = no authentication
GET /trustscoreReturns a 0–100 trust score for any domain.
Payment: 0.003 USDC per call (via x402)
Params:
?domain=example.com — bare domain?url=https://example.com/some/path — full URL (domain extracted)Response:
{
"domain": "example.com",
"score": 80,
"maxScore": 100,
"tier": "TRUSTED",
"breakdown": {
"domainAge": 30,
"tld": 20,
"dnsPresence": 30,
"registrar": 20
},
"details": {
"age": { "days": 9720, "label": "established (5+ years)", "created": "...", "expires": "..." },
"tld": ".com",
"dns": { "hasARecord": true, "hasMxRecord": true, "mxRecords": ["mail.example.com"] },
"registrar": "GoDaddy"
},
"meta": {
"checkedAt": "2026-05-22T12:00:00.000Z",
"apiVersion": "1.0",
"paidWith": "x402/USDC"
}
}
Tiers:
| Score | Tier |
|---|---|
| 75–100 | TRUSTED |
| 50–74 | MODERATE |
| 25–49 | CAUTION |
| 0–24 | HIGH_RISK |
trustsource/
├── src/
│ ├── server.ts # Express app + x402 middleware, rate limiting, logging
│ ├── openapi.ts # OpenAPI 3.1 spec served at /openapi.json
│ ├── lib/
│ │ ├── net-guard.ts # Shared SSRF guard (private-IP checks, resolve + pin)
│ │ ├── domain.ts # Shared domain extraction/validation
│ │ ├── cache.ts # Shared in-memory TTL cache
│ │ ├── domain-trust.ts # Domain trust scoring (used by /trustscore + /urlcheck)
│ │ ├── tls-check.ts # TLS handshake + cert scoring (used by /sslcheck + /urlcheck)
│ │ ├── typosquat.ts # Lookalike/typosquat detection (used by /urlcheck)
│ │ └── mailauth.ts # SPF/DKIM/DMARC/BIMI/MX analysis (used by /emailtrust)
│ └── routes/
│ ├── urlcheck.ts # Composite CLEAR/REVIEW/BLOCK URL verdict
│ ├── emailtrust.ts # Email-auth posture grade
│ ├── trustscore.ts # WHOIS + DNS + TLD + registrar scoring
│ ├── sslcheck.ts # Live TLS handshake + certificate scoring
│ ├── headers.ts # HTTP security-header audit
│ └── robots.ts # robots.txt + AI-bot policy detection
├── mcp-server/ # MCP server wrapping the six APIs as tools
├── public/ # Landing page
├── .env.example
├── .env # Your config (git-ignored)
├── package.json
└── tsconfig.json
/openapi.jsontrustsource-mcp) wrapping all six APIs/safefetch — injection-safe content firewall (flagship)/phishcheck — typosquat + Certificate-Transparency detection/kyb — official-registry business-identity verificationBe the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.