Every check we run cites a public taxonomy: mcp-scan (Invariant Labs) or SAFE-MCP (a MITRE ATT&CK-style framework for MCP). If a check has no citation, it doesn't ship. The catalog below is auditable for this reason.
Most rules run as deterministic Python over the tool metadata. The LLM judge layers on top for prompt-injection-shape detection and for context-sensitive checks like third-party origin mismatch. If the LLM judge fails or times out, the deterministic findings still ship — we never block a result on the LLM.
The analyzer reads names, descriptions, JSON Schema fields, and annotations. It never invokes a tool to find out what it does. That keeps the audit safe to run against any unverified server.
Whether you paste a URL into the public analyzer or score one of your own published servers, the rule catalog is identical. There is no privileged scoring path for partners.
Walks the tool's name, description, JSON Schema (full recursion), and annotations. Catches steganography, schema-poisoning instructions, mutating verbs flagged read-only, homoglyph names, consent-fatigue prose, and data-harvest prose.
Runs after the deterministic pass. Looks for instruction-control prose, third-party origin mismatch (server says it's Stripe but the host doesn't match), and credential-setup language directed at the user. Fails open on any error or 25-second timeout.
Compares a candidate listing to every claimed listing in our directory: host typosquats, tool-name collisions, and tool-definition drift on claimed listings. Designed; not yet shipped — we'd rather omit it than ship low-precision noise.
Rendered live from the analyzer source. Sorted by default severity, then category. Each citation links to the published entry on GitHub — read the source before you trust the score.
Analyzer: mcp-security-v1 · schema v2
E001CriticalMCPB-A002HighE002HighMCPB-I001HighSAFE-T1402HighSAFE-T1501HighSAFE-T1007MediumSAFE-T1804MediumW015MediumSAFE-T1403MediumW019MediumSAFE-T1004MediumMCPB-A001LowW020LowMITRE ATT&CK-style threat framework for MCP
A peer-reviewed taxonomy of MCP-specific adversary techniques. We cite SAFE-T1001 (instruction injection), SAFE-T1004 (third-party origin mismatch), SAFE-T1007 (credential setup), SAFE-T1402 (instruction steganography), SAFE-T1403 (consent fatigue), SAFE-T1804 (API data harvest), and a dozen more.
Static scanner from Invariant Labs
The first widely-used MCP static scanner. Its issue codes (E001 prompt injection, W001 attention-control words, W015–W020 toxic flow capabilities) define a baseline that every public scoreboard expects. We cite the same codes.
About the MCPB- rule prefix
Three rules use our internal MCPB- namespace (annotation completeness, annotation honesty, duplicate display names, homoglyph names). Every one of them still cites a SAFE-MCP technique — the prefix only signals that the published taxonomy hasn't given the specific check its own ID yet. When SAFE-MCP issues one, we adopt it.