MCP Scorecard MCP server security scorecard

Should you connect
that MCP server?

Paste a server. Get a grade against a published security policy — provenance, capabilities, transport, known vulnerabilities, and tool-poisoning patterns. Every check is open source.

try: @modelcontextprotocol/server-filesystem

CheckPolicyMethod
Provenance§1Official registry listing, repo health, package ↔ repo consistency, provenance attestation
Capabilities§2Tool surface via tools/list or static source scan — never executed. Shell, filesystem, egress, and credential access flagged
Transport & auth§3HTTPS, auth required, OAuth 2.1 resource metadata (June 2025 spec)
Vulnerabilities§4OSV.dev advisory lookup
Description integrity§5Hidden instructions, zero-width characters, cross-tool shadowing; schema-change (rug-pull) detection across scans