MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
⌘K
  • Getting Started
  • Quickstart

API Reference

  • Overview
  • POST /scan
  • GET /scan/:id
  • Private scans
  • Team & billing

Integrations

  • GitHub Actions
  • Cursor
  • Claude Code

Concepts

  • AIVSS Scoring
  • Findings
  • Severity Levels
  • CLI
  • Troubleshooting
  • FAQ
⌘K
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy

AIVSS Scoring

How MCPSafe calculates the AI Vulnerability Severity Score and safety grade.

AIVSS (AI Vulnerability Severity Score) is MCPSafe's scoring model for quantifying the risk of an MCP server. It adapts the CVSS framework to the specific threat model of AI tool use.

Score ranges

AIVSSSafety scoreGradeMeaning
< 2.081 – 100ALow risk — safe to use
2.0 – 3.961 – 80BModerate risk — review findings
4.0 – 6.931 – 60CElevated risk — fix before production
7.0 – 8.911 – 30DHigh risk — do not use
≥ 9.00 – 10FCritical risk — actively unsafe

The safety score (0–100) is 100 − (aivss_score × 10), clamped to [0, 100].

How AIVSS is calculated

Each finding gets an individual AIVSS score based on five dimensions:

DimensionDescription
ScopeDoes the vulnerability affect only the local tool, or can it escape to the host system or network?
ExploitabilityHow easy is it to trigger — does it require crafted input, or does it fire unconditionally?
ImpactWhat can an attacker accomplish — data exfiltration, code execution, credential theft?
Detection difficultyHow hard is the attack to detect at runtime?
AI amplificationHow much does AI autonomy increase risk (e.g., tool chaining, no human confirmation step)?

The package AIVSS is the maximum individual finding score, not an average — one critical finding poisons the whole package.

LLM consensus layer (deep scans only)

Deep scans run a panel of 5 independent judge models against tool handlers — covering prompt-injection vectors in descriptions, ambiguous parameter names, undisclosed side effects, and over-broad permissions relative to stated purpose.

Scores are aggregated as a cross-judge median (no model can unilaterally move the score), then merged with rule-derived AIVSS. Per-judge verdicts — including disagreements — are visible on the scan report and via GET /scan/{id}/consensus.

Fast scans skip the consensus layer; rule findings drive the verdict on their own.

Per-tool scores

The tool_scores array in the scan result gives a per-MCP-tool breakdown:

{
  "tool_name": "execute_command",
  "aivss_score": 8.2,
  "severity": "high",
  "finding_count": 3
}

This lets you identify which specific tools drive the overall score.

Interpreting the grade

  • A/B: Safe for general use. Review the finding list for context.
  • C: Use with caution. At least one medium-severity finding needs attention before production.
  • D: Do not deploy. Multiple high-severity findings detected.
  • F: Block immediately. Critical vulnerabilities confirmed by rule findings (and, on deep scans, model consensus).
ℹ

AIVSS vs CVSS

CVSS scores software vulnerabilities in isolation. AIVSS accounts for the AI execution context — an instruction-following agent that can chain tools, act autonomously, and process untrusted content at high speed amplifies the impact of the same vulnerability class.

←PreviousClaude CodeNextFindings→