How We Score MCP Server Security: 18 Rules, Two Published Taxonomies, Zero Invented Checks
· 8 min read
Ask AI:
You paste an MCP server URL into a security analyzer. It spits out a number. You ask the obvious question: what does that number actually mean?
Most MCP scanners can't answer it. They run a bunch of regex, run a bunch of LLM prompts, and produce a verdict. If you push on the verdict, you find ad-hoc heuristics with no published source — and worse, you find marketing claims about "AI-powered security analysis" that nobody can audit.
We built MCPBundles' analyzer the other way around. Every rule cites a published taxonomy entry. If we can't cite an entry, the rule doesn't ship. The catalog is small, deliberate, and live: www.mcpbundles.com/learn/mcp-security.
This post is the "show your work" version of that page.