⌘K

Getting Started

MCPSafe scans MCP servers for security vulnerabilities — free, no account needed.

MCPSafe is a security scanner for Model Context Protocol (MCP) servers. Paste a package name, GitHub URL, or registry ID and get a full security report in seconds.

What MCPSafe checks

Coverage spans the MCP Top-10 risks, including:

Category	What it finds
Destructive tools	Mutating tool handlers without `elicit()`, `dry_run`, or confirmation flags
Secret exfiltration	Env vars, KMS plaintext, or OAuth tokens reaching response/log sinks
Permissions	IAM wildcards, OAuth over-scoping, and unused-scope detection
Prompt injection	User-controlled input flowing into inner-LLM SYSTEM messages
Schema risk	Overbroad string schemas on `command`/`query`/`url`/`code` fields
Supply chain	Typosquat package names, install-time remote-exec hooks, plaintext secrets in `.env`, container running as root
Known CVEs	NVD / GHSA matches against the resolved version

The live rule list is at /threats/coverage.

Scan modes

Mode	Typical runtime	Includes
Fast	≤ 20 min (target p95 < 3 min)	Static + manifest + supply-chain checks
Deep	≤ 30 min (target p95 < 20 min)	Everything in Fast + LLM judge panel (5 models)

Deep scans add a second-opinion model consensus on each tool handler. Model votes adjust the score; rule findings drive the verdict. See Methodology for the full breakdown.

Input formats

Paste any of the following into the scan box. The parser resolves bare names, URLs, version constraints, and official registry IDs. The full reference (with every variant) lives in Methodology — Supported targets.

npm

Input	Resolves to
`express`	latest version on npm
`@modelcontextprotocol/sdk`	scoped package, latest
`npm:fastify`	explicit prefix, latest
`npm:lodash@4.17.21`	pinned version
`https://www.npmjs.com/package/express`	npm URL, latest

PyPI

Bare names default to npm. Use the pypi: prefix or a version constraint to target PyPI.

Input	Resolves to
`pypi:requests`	latest on PyPI
`pypi:mcp`	Anthropic MCP Python SDK, latest
`requests==2.31.0`	pinned — `==` operator detected as PyPI
`mcp>=1.0.0`	range constraint, scans latest matching
`https://pypi.org/project/mcp/`	PyPI URL, latest

GitHub

Input	Resolves to
`modelcontextprotocol/servers`	HEAD of default branch
`github:modelcontextprotocol/servers`	explicit prefix, HEAD
`https://github.com/modelcontextprotocol/servers`	GitHub URL, HEAD
`https://github.com/modelcontextprotocol/servers/tree/v1.2.0`	pinned tag

Docker

Input	Resolves to
`nginx:latest`	Docker Hub image with tag
`docker:mcp/fetch`	explicit prefix, resolves `:latest`
`ghcr.io/owner/image:tag`	GitHub Container Registry
`mcr.microsoft.com/mcp-server:latest`	Microsoft Container Registry
`nginx@sha256:abc123`	pinned digest

Official MCP Registry

Reverse-domain IDs from registry.modelcontextprotocol.io. io.github.* IDs resolve to the underlying GitHub repo via the registry, pinned to the registry's current release.

Input	Resolves to
`io.github.modelcontextprotocol/servers`	repo + version from MCP registry
`ai.anthropic/claude-code`	non-GitHub registry server ID
`https://registry.modelcontextprotocol.io/servers/io.github.punkpeye/fastmcp`	full registry URL

No account needed

Public scans are free and require no sign-up. Create an account for scan history, API access, and higher rate limits.

Private scans

Scan a package or repository without publishing the result. Results stay private to your account and never appear in the public registry. Available on Developer, Team, and Business plans.

Supported targets: private GitHub repos, private npm packages, private PyPI packages, private Docker Hub images, and private GHCR images — submitted with a read-only token (Docker Hub and GHCR also need a username). Self-hosted Git providers and custom registries are on the roadmap.

Credentials are encrypted in transit and at rest, scoped to a single scan, and never logged. See Private scans for token formats per registry and the pricing page for plan details.

Free tier

Private scans require a paid plan. A signed-in free-tier user submitting a private scan gets 402 SUBSCRIPTION_REQUIRED.

Score interpretation

Every scan produces an AIVSS score (0–100) and letter grade:

Grade	Safety score	AIVSS	Meaning
A	81–100	< 2.0	Safe to use
B	61–80	2.0–3.9	Minor issues, review findings
C	31–60	4.0–6.9	Moderate risk, proceed with caution
D	11–30	7.0–8.9	High risk, significant issues found
F	0–10	≥ 9.0	Critical risk, do not use

Grade is derived from the highest individual finding's AIVSS score, not an average — see Concepts: AIVSS for the full formula.

Next steps

Quickstart — run your first scan in 60 seconds
API Reference — integrate MCPSafe into your CI/CD pipeline
Concepts: AIVSS — understand how the score is calculated
Methodology — what we check, how we score, and what we don't do

Getting Started

MCPSafe scans MCP servers for security vulnerabilities — free, no account needed.

MCPSafe is a security scanner for Model Context Protocol (MCP) servers. Paste a package name, GitHub URL, or registry ID and get a full security report in seconds.

What MCPSafe checks

Coverage spans the MCP Top-10 risks, including:

Category	What it finds
Destructive tools	Mutating tool handlers without `elicit()`, `dry_run`, or confirmation flags
Secret exfiltration	Env vars, KMS plaintext, or OAuth tokens reaching response/log sinks
Permissions	IAM wildcards, OAuth over-scoping, and unused-scope detection
Prompt injection	User-controlled input flowing into inner-LLM SYSTEM messages
Schema risk	Overbroad string schemas on `command`/`query`/`url`/`code` fields
Supply chain	Typosquat package names, install-time remote-exec hooks, plaintext secrets in `.env`, container running as root
Known CVEs	NVD / GHSA matches against the resolved version

The live rule list is at /threats/coverage.

Scan modes

Mode	Typical runtime	Includes
Fast	≤ 20 min (target p95 < 3 min)	Static + manifest + supply-chain checks
Deep	≤ 30 min (target p95 < 20 min)	Everything in Fast + LLM judge panel (5 models)

Deep scans add a second-opinion model consensus on each tool handler. Model votes adjust the score; rule findings drive the verdict. See Methodology for the full breakdown.

Input formats

npm

Input	Resolves to
`express`	latest version on npm
`@modelcontextprotocol/sdk`	scoped package, latest
`npm:fastify`	explicit prefix, latest
`npm:lodash@4.17.21`	pinned version
`https://www.npmjs.com/package/express`	npm URL, latest

PyPI

Bare names default to npm. Use the pypi: prefix or a version constraint to target PyPI.

Input	Resolves to
`pypi:requests`	latest on PyPI
`pypi:mcp`	Anthropic MCP Python SDK, latest
`requests==2.31.0`	pinned — `==` operator detected as PyPI
`mcp>=1.0.0`	range constraint, scans latest matching
`https://pypi.org/project/mcp/`	PyPI URL, latest

GitHub

Input	Resolves to
`modelcontextprotocol/servers`	HEAD of default branch
`github:modelcontextprotocol/servers`	explicit prefix, HEAD
`https://github.com/modelcontextprotocol/servers`	GitHub URL, HEAD
`https://github.com/modelcontextprotocol/servers/tree/v1.2.0`	pinned tag

Docker

Input	Resolves to
`nginx:latest`	Docker Hub image with tag
`docker:mcp/fetch`	explicit prefix, resolves `:latest`
`ghcr.io/owner/image:tag`	GitHub Container Registry
`mcr.microsoft.com/mcp-server:latest`	Microsoft Container Registry
`nginx@sha256:abc123`	pinned digest

Official MCP Registry

Reverse-domain IDs from registry.modelcontextprotocol.io. io.github.* IDs resolve to the underlying GitHub repo via the registry, pinned to the registry's current release.

Input	Resolves to
`io.github.modelcontextprotocol/servers`	repo + version from MCP registry
`ai.anthropic/claude-code`	non-GitHub registry server ID
`https://registry.modelcontextprotocol.io/servers/io.github.punkpeye/fastmcp`	full registry URL

No account needed

Public scans are free and require no sign-up. Create an account for scan history, API access, and higher rate limits.

Private scans

Scan a package or repository without publishing the result. Results stay private to your account and never appear in the public registry. Available on Developer, Team, and Business plans.

Credentials are encrypted in transit and at rest, scoped to a single scan, and never logged. See Private scans for token formats per registry and the pricing page for plan details.

Free tier

Private scans require a paid plan. A signed-in free-tier user submitting a private scan gets 402 SUBSCRIPTION_REQUIRED.

Score interpretation

Every scan produces an AIVSS score (0–100) and letter grade:

Grade	Safety score	AIVSS	Meaning
A	81–100	< 2.0	Safe to use
B	61–80	2.0–3.9	Minor issues, review findings
C	31–60	4.0–6.9	Moderate risk, proceed with caution
D	11–30	7.0–8.9	High risk, significant issues found
F	0–10	≥ 9.0	Critical risk, do not use

Grade is derived from the highest individual finding's AIVSS score, not an average — see Concepts: AIVSS for the full formula.

Next steps

Quickstart — run your first scan in 60 seconds
API Reference — integrate MCPSafe into your CI/CD pipeline
Concepts: AIVSS — understand how the score is calculated
Methodology — what we check, how we score, and what we don't do