MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
⌘K
  • Getting Started
  • Quickstart

API Reference

  • Overview
  • POST /scan
  • GET /scan/:id
  • Private scans
  • Team & billing

Integrations

  • GitHub Actions
  • Cursor
  • Claude Code

Concepts

  • AIVSS Scoring
  • Findings
  • Severity Levels
  • CLI
  • Troubleshooting
  • FAQ
⌘K
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy

Quickstart

Scan your first MCP server in under 60 seconds.

Get a full security report in under 60 seconds — no account required.

1. Paste a package or URL

Go to mcpsafe.io/scan and paste any of the following:

  • An npm package: @modelcontextprotocol/server-github
  • A PyPI package: pypi:mcp-server-fetch
  • A GitHub URL: github.com/modelcontextprotocol/servers
  • A Docker image: docker:mcp/fetch
  • An MCP registry ID: io.github.punkpeye/fastmcp

Full input reference: Getting Started — Input formats.

2. Pick a scan mode

ModeDefaultRuntimeWhat runs
Fast✓≤ 20 min (p95 target < 3 min)T1 rules — static + manifest + supply-chain
Deep≤ 30 min (p95 target < 20 min)T1 + T2 rules + LLM judge panel (5 models)

Most packages with cached results return instantly from the cache regardless of mode. The cache hit is shown in the report header.

3. Read the report

The report includes:

  • AIVSS score (0–100) with letter grade A–F
  • Severity distribution — Critical / High / Medium / Low counts
  • Per-tool heatmap — which MCP tools have issues
  • Finding cards — each vulnerability with rule ID, evidence, and remediation
  • Judge panel (deep scans) — per-model verdicts with disagreements visible
  • Embed snippet — copy-paste SVG badge for READMEs
ℹ

Cache hits

If a package was recently scanned, results are returned instantly from cache. The cached date is shown in the report header.

Use the API

For CI/CD integration, use the REST API directly:

# Start a scan
curl -X POST https://api.mcpsafe.io/scan \
  -H "Content-Type: application/json" \
  -d '{"input": "@modelcontextprotocol/server-github", "mode": "fast"}'
 
# Response
# {"success": true, "data": {"scan_id": "...", "canonical_id": "..."}}
# Poll for results
curl https://api.mcpsafe.io/scan/{scan_id}

See the full API reference for streaming, authentication, and per-key rate limits.

Share results

Every scan result has a permanent shareable URL and an embeddable SVG badge:

![MCPSafe](https://api.mcpsafe.io/api/badge/{scan_id})

Next steps

  • GitHub Actions integration — block merges on failing scans
  • API reference — full endpoint documentation
  • AIVSS concepts — understand the scoring model
←PreviousGetting StartedNextOverview→