Registry Threats Methodology Docs Pricing Scan Sign in

Scan an MCP server

Vet a package before you install it — reads the source (GitHub, npm, PyPI, Docker), no running server needed. Free, no sign-in.

TargetAccepts: GitHub URL, npm package, PyPI package, Docker image (docker:image), or MCP registry ID.

Try one

Visibility

Public packagePrivate repo(sign in required)

Scan depth

Fast scanStatic analysis + CVE lookup. Typically 1–3 minDeep scanFast scan + 5-LLM consensus panel. Up to 20 min(sign in required)Sign in

Probe a server you operate after it’s live — auth, transport security, OAuth metadata, schema risk. Sign in required.

Dynamic scanning requires a free account.

Dynamic scans connect to your running MCP server and probe it live — checking authentication, tool descriptions, transport security, and 40+ protocol-level rules that static analysis can't catch.

Free. We never store your server's credentials. Acceptable Use Policy

Learn how scanning works See all detection rules Acceptable Use Policy

MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy Policy Cookie Policy Terms of ServiceSecurity disclosure

Resources

State of MCP Security Support System statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy