MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
MCPSafe.io

Security checks for MCP servers — public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany 🇩🇪

© 2026 MCPSafe. All rights reserved.

GDPR — Privacy Policy

Threat Coverage

MCP Top 10 coverage matrix.

How our detection rules map to each risk in the MCP Top 10. A risk is covered once at least one rule is live; partial means rules are in review.

CoveredPartialNo rules

Official MCP Spec Coverage

modelcontextprotocol.io ↗

The six threat categories from the official Model Context Protocol security best practices, mapped 1:1 to the MCPSafe rules that cover them. ✅ covered, ⚠️ in review, ❌ missing.

Token Passthrough✅ covered
  • MCP-265token-passthrough
Confused Deputy✅ covered
  • MCP-260confused-deputy-no-per-client-consent
  • MCP-261redirect-uri-non-exact-match
  • MCP-262oauth-state-missing-or-late
  • MCP-263consent-cookie-weak
  • MCP-264consent-ui-clickjackable
Server-Side Request Forgery✅ covered
  • MCP-060ssrf-oauth-metadata
Session Hijacking✅ covered
  • MCP-266session-not-bound-to-user
  • MCP-267predictable-session-id
Local MCP Server Compromise✅ covered
  • MCP-268local-http-transport-no-auth
Scope Minimization✅ covered
  • MCP-269wildcard-oauth-scopes
R1

Tool Abuse

Tools used beyond their declared intent or scope

Covered
MCP-002MCP-010MCP-046MCP-084MCP-206MCP-211MCP-252
R2

Prompt Injection

Untrusted input redirecting agent behaviour

Covered
MCP-002MCP-003MCP-010

Rule statuses update on every build from the live rules catalog. Rules in review do not yet affect user-visible scan results.

MCP-060
MCP-062
MCP-081
MCP-083
MCP-085
MCP-212
MCP-250
MCP-275
MCP-276
R3

Insufficient Access Control

Missing auth, wildcard permissions, or over-privileged roles

Covered
MCP-045MCP-047MCP-050MCP-052MCP-082MCP-120MCP-203MCP-204MCP-208MCP-209MCP-213MCP-217MCP-230MCP-231MCP-233MCP-234MCP-235MCP-260MCP-261MCP-262MCP-263MCP-264MCP-265MCP-266MCP-267MCP-268MCP-269MCP-273MCP-274MCP-277MCP-278MCP-279MCP-280MCP-282
R4

LLM Prompt Manipulation

Injecting instructions into inner-LLM system prompts

Covered
MCP-046MCP-048MCP-061MCP-080MCP-093MCP-095MCP-096MCP-205MCP-214MCP-223MCP-270MCP-271MCP-272
R5

Data Exfiltration

Sensitive data leaking through tool responses or logs

Covered
MCP-003MCP-005MCP-060MCP-062MCP-070MCP-071MCP-212MCP-220MCP-221MCP-222MCP-275
R6

Resource Exhaustion

Unbounded operations causing denial of service

Covered
MCP-110MCP-276MCP-281
R7

Insecure Defaults

Dangerous configuration shipped as the default

Covered
MCP-272
R8

Supply-Chain Compromise

Malicious code introduced via dependencies or install hooks

Covered
MCP-072MCP-073MCP-094MCP-095MCP-100MCP-207MCP-215MCP-240
R9

Secrets Exposure

Credentials or keys stored or transmitted in plaintext

Covered
MCP-030MCP-202MCP-210MCP-232MCP-251
R10

Destructive Actions

Irreversible operations without confirmation or annotation

Covered
MCP-005MCP-051MCP-070MCP-200MCP-201MCP-283MCP-284MCP-285