Yes, Agentscore is free to use.

How do I install Agentscore?

Agentscore is a local plugin. Install it using npm package: @agentscore-xyz/mcp-server and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What AI apps work with Agentscore?

Agentscore uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Agentscore MCP Server

by Thezenmonster

Developer ToolsModerate5.3MCP RegistryLocal

Free

Server data from the Official MCP Registry

MCP security trust layer: scan packages, inspect repos, check exposure, monitor changes.

About

MCP security trust layer: scan packages, inspect repos, check exposure, monitor changes.

Security Report

5.3

Moderate5.3Moderate Risk

This is a well-designed MCP security auditing tool with clean architecture and appropriate permissions. The server calls the AgentScore API to scan npm packages and inspect repositories for MCP dependencies. No authentication is required (zero-config as advertised), file I/O is scoped to repository inspection, and network access is limited to the AgentScore API. Minor code quality improvements suggested around error handling and input validation, but no security vulnerabilities detected. Supply chain analysis found 3 known vulnerabilities in dependencies (0 critical, 2 high severity). Package verification found 1 issue.

6 files analyzed · 9 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

File System Write

Writes or modifies files on your machine. Check that this is expected for the tool.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-thezenmonster-agentscore": {
      "args": [
        "-y",
        "@agentscore-xyz/mcp-server"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

@agentscore-xyz/mcp-server

MCP security trust layer. Scan packages, get trust verdicts, inspect repo-wide MCP dependencies, generate Policy Gate setup, install the CI workflow directly, check incident exposure, and query the abuse database. Eight tools for MCP security decisions. No API key, zero config.

Scan any MCP package for security issues: agentscores.xyz

Quick Start

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "agentscore": {
      "command": "npx",
      "args": ["-y", "@agentscore-xyz/mcp-server"]
    }
  }
}

Cursor / Any MCP Client

npx @agentscore-xyz/mcp-server

What This Does

Your AI can now make security decisions about MCP packages:

You: "Is exa-mcp-server safe to install?"

Claude: calls get_verdict "Verdict: ALLOW. Score 90/100, LOW risk. No provenance attestations (published by personal account). 9 tools exposed including web_search_exa and crawling_exa."

You: "The axios package was compromised. Which MCP servers are affected?"

Claude: calls check_exposure "Multiple monitored MCP servers depend on axios, including exa-mcp-server, tavily-mcp, and figma-mcp."

You: "Scan @azure-devops/mcp for security issues"

Claude: calls scan_package "Score 75/100, MODERATE risk. Found: preinstall script modifying npm registry config. No provenance attestations."

You: "Check this repo for MCP dependencies"

Claude: calls check_my_repo "MCP dependencies found: 5. Two are warnings. Run generate_policy_gate_setup to turn these checks into a CI gate."

You: "Set up AgentScore Policy Gate for this repo"

Claude: calls install_policy_gate "The workflow file is written to .github/workflows/agentscore-policy-gate.yml. Commit and push. GitHub OIDC will auto-provision the repo on first run."

Available Tools

Tool	What it does
`scan_package`	Full security scan: install scripts, prompt injection, source code patterns, provenance posture, MCP tool extraction
`get_verdict`	Trust decision: allow, warn, or block based on scan findings. Also reports monitoring status and publisher posture.
`check_my_repo`	Inspect the current repo for MCP dependencies and summarise verdicts for every package detected locally.
`generate_policy_gate_setup`	Generate the exact OIDC-based GitHub Actions workflow needed to enforce Policy Gate in CI.
`install_policy_gate`	Write `.github/workflows/agentscore-policy-gate.yml` directly into the repo so the gate is ready to commit.
`check_exposure`	Incident response: which monitored MCP servers depend on a given package?
`check_abuse`	Query the KYA abuse database for reported packages or agents
`monitor_status`	Check if a package is under continuous monitoring and get scan history

From Ad-Hoc Scans To CI Enforcement

The MCP server now bridges one-off package checks into the sticky product:

Run check_my_repo to see every MCP package used in a repo.
Run generate_policy_gate_setup to preview the OIDC-based GitHub Actions workflow.
Run install_policy_gate to write the workflow file directly into the repo.
Commit and push. The first run auto-provisions through GitHub OIDC.

That turns "is this package safe?" into "this repo now enforces MCP dependency policy on every PR."

Risk Levels

Score	Risk	Meaning
85-100	LOW	Clean or minor issues only
70-84	MODERATE	Some findings, review recommended
50-69	ELEVATED	Significant findings, use with caution
30-49	HIGH	Serious issues, not recommended
0-29	CRITICAL	Do not use

What the Scanner Checks

Install scripts (postinstall/preinstall hooks with network calls or code execution)
Prompt injection patterns in package metadata
Suspicious URLs (sketchy TLDs, ngrok, raw IPs)
Source code patterns (command injection, unsafe eval, hardcoded secrets)
Publisher provenance (trusted publishing, attestations)
Dependency count and metadata completeness
MCP tool definitions extracted from published source

Monitoring

AgentScore continuously monitors hundreds of MCP packages. The check_exposure and monitor_status tools use this live dataset. When a package like axios gets compromised, you can instantly find which MCP servers are affected.

Licence

MIT

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

Agentscore MCP Server

About

Security Report

Findings (9)Action required

Permissions Required

How to Install

Documentation

@agentscore-xyz/mcp-server

Quick Start

Claude Desktop

Cursor / Any MCP Client

What This Does

Available Tools

From Ad-Hoc Scans To CI Enforcement

Risk Levels

What the Scanner Checks

Monitoring

Links

Licence

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Git

Toleno

mcp-creator-python

MarkItDown

FinAgent